Bugzilla – Bug 1219725
VUL-0: CVE-2024-20328: clamav: clamav: command injection vulnerability in the "VirusEvent" feature of ClamD service
Last modified: 2024-02-08 09:32:54 UTC
CVE-2024-20328: Fixed a possible command injection vulnerability in the "VirusEvent" feature of ClamAV's ClamD service. To fix this issue, we disabled the '%f' format string parameter. ClamD administrators may continue to use the `CLAM_VIRUSEVENT_FILENAME` environment variable, instead of '%f'. But you should do so only from within an executable, such as a Python script, and not directly in the clamd.conf "VirusEvent" command. Affected versions: 0.104 (all patch versions) 0.105 (all patch versions) 1.0.0 through 1.0.4 (LTS) 1.1 (all patch versions) 1.2.0 and 1.2.1 References: https://blog.clamav.net/2023/11/clamav-130-122-105-released.html References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-20328 https://bugzilla.redhat.com/show_bug.cgi?id=2263264 Patch: https://github.com/Cisco-Talos/clamav/commit/fe7638287bb11419474ea314652404e7e9b314b2
Closed because all code streams are not affected.