CVE-2024-20328

Publication date 9 February 2024

Last updated 24 July 2024


Ubuntu priority

A vulnerability in the VirusEvent feature of ClamAV could allow a local attacker to inject arbitrary commands with the privileges of the application service account.The vulnerability is due to unsafe handling of file names. A local attacker could exploit this vulnerability by supplying a file name containing command-line sequences. When processed on a system using configuration options for the VirusEvent feature, the attacker could cause the application to execute arbitrary commands. ClamAV has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

Read the notes from the security team

Status

Package Ubuntu Release Status
clamav 24.04 LTS noble
Fixed 1.0.5+dfsg-1ubuntu1
23.10 mantic
Fixed 1.0.5+dfsg-0ubuntu0.23.10.1
22.04 LTS jammy
Not affected
20.04 LTS focal
Not affected
18.04 LTS bionic
Not affected
16.04 LTS xenial
Not affected
14.04 LTS trusty
Not affected

Notes


mdeslaur

doesn't appear to affect 0.103.x

References

Related Ubuntu Security Notices (USN)

    • USN-6636-1
    • ClamAV vulnerabilities
    • 14 February 2024

Other references