Описание
Command injection in nodemailer
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-7769
- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- https://www.npmjs.com/package/nodemailer
Пакеты
Наименование
nodemailer
npm
Затронутые версииВерсия исправления
< 6.4.16
6.4.16
Связанные уязвимости
CVSS3: 8.6
ubuntu
около 5 лет назад
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVSS3: 8.6
nvd
около 5 лет назад
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVSS3: 8.6
debian
около 5 лет назад
This affects the package nodemailer before 6.4.16. Use of crafted reci ...