GHSA-wfrj-qqc2-83cm

Опубликовано: 20 сент. 2021

Источник: github

Github: Прошло ревью

CVSS3: 5.8

Описание

Remote command injection when using sendmail email transport

Impact

Sites using the sendmail transport as part of their mail config are vulnerable to remote command injection due to a vulnerability in the nodemailer dependency.

Ghost defaults to the direct transport so this is only exploitable if the sendmail transport is explicitly used.

Patches

Fixed in 4.15.0, all sites should upgrade as soon as possible.

Workarounds

Use an alternative email transport as described in the docs.

For more information

If you have any questions or comments about this advisory:

email us at security@ghost.org

Ссылки

https://github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm
https://github.com/TryGhost/Ghost/commit/93e4b2eafd18bc8e4c17924e0824e73617e7940c
https://github.com/advisories/GHSA-48ww-j4fc-435p

Пакеты

Наименование

ghost

npm

Затронутые версииВерсия исправления

< 4.15.0

4.15.0

5.8 Medium

CVSS3

Дефекты

CWE-88

5.8 Medium

CVSS3

Дефекты

CWE-88