Swiftmailer Sendmail transport arbitrary shell execution

2024-05-2913:13:16

GitHub Advisory Database

github.com

swiftmailer

sendmail

transport

vulnerability

fixed

upgrade

AI Score

7.2

Confidence

High

JSON

Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the “From” header came from a non-trusted source and no “Return-Path” is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.

Affected configurations

Vulners

Node

swiftmailerswiftmailerRange4.0.0–5.2.1

VendorProductVersionCPE
swiftmailerswiftmailer*cpe:2.3:a:swiftmailer:swiftmailer:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
swiftmailer	swiftmailer	*	cpe:2.3:a:swiftmailer:swiftmailer::::::::

References

blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released

github.com/advisories/GHSA-4qpj-gxxg-jqg4

github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/2014-06-13.yaml

github.com/swiftmailer/swiftmailer/commit/b4b78af55e5e87f5ff07c06c6be7963c44562f80

github.com/swiftmailer/swiftmailer/commit/efc430606a5faed864b969adfbdc5363ce2115a2

web.archive.org/web/20150219063146/blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released

AI Score

7.2

Confidence

High

JSON