CVE-2020-7769
CRITICAL9.8EPSS 0.51%Command injection in nodemailer
Published: 5/10/2021Modified: 1/14/2025
Description
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Affected packages (2)
- Debian/node-nodemailerfrom 0, < 6.4.16-1
- npm/nodemailerfrom 0, < 6.4.16
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References (8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7769
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-7769
- WEBhttps://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75
- WEBhttps://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75
- WEBhttps://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
- WEBhttps://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- WEBhttps://www.npmjs.com/package/nodemailer