CVE-2020-36326
CRITICAL9.8EPSS 0.30%Object injection in PHPMailer/PHPMailer
描述
### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.
受影響套件(5)
- Bitnami/phpmailer>= 6.1.8, < 6.4.1
- Bitnami/wordpress>= 3.7.0, < 3.7.36, >= 3.8.0, < 3.8.36, >= 3.9.0, < 3.9.34, >= 4.0.0, < 4.0.33, >= 4.1.0, < 4.1.33, >= 4.2.0, < 4.2.30, >= 4.3.0, < 4.3.26, >= 4.4.0, < 4.4.25, >= 4.5.0, < 4.5.24, >= 4.6.0, < 4.6.21, >= 4.7.0, < 4.7.21, >= 4.8.0, < 4.8.17, >= 4.9.0, < 4.9.18, >= 5.0.0, < 5.0.13, >= 5.1.0, < 5.1.10, >= 5.2.0, < 5.2.11, >= 5.3.0, < 5.3.8, >= 5.4.0, < 5.4.6, >= 5.5.0, < 5.5.5, >= 5.6.0, < 5.6.4, >= 5.7.0, < 5.7.2
- Bitnami/wordpress-multisite>= 3.7.0, < 3.7.36, >= 3.8.0, < 3.8.36, >= 3.9.0, < 3.9.34, >= 4.0.0, < 4.0.33, >= 4.1.0, < 4.1.33, >= 4.2.0, < 4.2.30, >= 4.3.0, < 4.3.26, >= 4.4.0, < 4.4.25, >= 4.5.0, < 4.5.24, >= 4.6.0, < 4.6.21, >= 4.7.0, < 4.7.21, >= 4.8.0, < 4.8.17, >= 4.9.0, < 4.9.18, >= 5.0.0, < 5.0.13, >= 5.1.0, < 5.1.10, >= 5.2.0, < 5.2.11, >= 5.3.0, < 5.3.8, >= 5.4.0, < 5.4.6, >= 5.5.0, < 5.5.5, >= 5.6.0, < 5.6.4, >= 5.7.0, < 5.7.2
- Debian/libphp-phpmailerfrom 0, < 6.2.0-2
- Packagist/phpmailer/phpmailer>= 6.1.8, < 6.4.1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(10)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-36326
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-36326
- WEBhttps://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml
- WEBhttps://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
- WEBhttps://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1
- WEBhttps://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
- WEBhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B
- WEBhttps://lists.fedoraproject.org/archives/list/[email protected]/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT