Severity: High
CVSS score: 7.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L)
SmokeDetector is designed to be a community-run project to detect spam. By its nature, this relies on individuals who are able to donating server space to run the software, while others with whom server operators do not necessarily interact are more involved in the software's development and running.
This nature of operation, and the ability to automatically deploy updated copies of SmokeDetector without server operator authority, means that remote unrestricted code execution is entirely possible, and even required for efficient operation of SmokeDetector. Exploitation of this vulnerability can result in code unseen by a server operator running in the context of the user owning the process.
Server operators for SmokeDetector are strongly advised to carefully consider this risk before adding their instance to the pool. It is highly recommended that operators take precautions to limit the impact of any exploitation of this vulnerability. This may include running SmokeDetector under a user account with limited permissions and system access, or running it within a container, virtual machine, or on an entirely separate dedicated system. Running SmokeDetector on a system that also runs important, sensitive, or critical systems or infrastructure is inadvisable, as slight oversights in server configuration may result in the complete loss of confidentiality, integrity, or availability of these services.
Severity: High
CVSS score: 7.0 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:L)
SmokeDetector is designed to be a community-run project to detect spam. By its nature, this relies on individuals who are able to donating server space to run the software, while others with whom server operators do not necessarily interact are more involved in the software's development and running.
This nature of operation, and the ability to automatically deploy updated copies of SmokeDetector without server operator authority, means that remote unrestricted code execution is entirely possible, and even required for efficient operation of SmokeDetector. Exploitation of this vulnerability can result in code unseen by a server operator running in the context of the user owning the process.
Server operators for SmokeDetector are strongly advised to carefully consider this risk before adding their instance to the pool. It is highly recommended that operators take precautions to limit the impact of any exploitation of this vulnerability. This may include running SmokeDetector under a user account with limited permissions and system access, or running it within a container, virtual machine, or on an entirely separate dedicated system. Running SmokeDetector on a system that also runs important, sensitive, or critical systems or infrastructure is inadvisable, as slight oversights in server configuration may result in the complete loss of confidentiality, integrity, or availability of these services.