CVE-2020-7769
CRITICAL9.8EPSS 0.51%Command injection in nodemailer
發布日:2021/5/10修改日:2025/1/14
描述
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
受影響套件(2)
- Debian/node-nodemailerfrom 0, < 6.4.16-1
- npm/nodemailerfrom 0, < 6.4.16
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(8)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-7769
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-7769
- WEBhttps://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75
- WEBhttps://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js#L75
- WEBhttps://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
- WEBhttps://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
- WEBhttps://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- WEBhttps://www.npmjs.com/package/nodemailer