CVE-2020-7769 Vulnerability in maven package org.webjars.npm:nodemailer

Description

This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.

Remediation

References

https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75

https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834

Related Vulnerabilities

CVE-2020-7708 Vulnerability in npm package irrelon-path

CVE-2021-33605 Vulnerability in maven package com.vaadin:vaadin-checkbox-flow

CVE-2023-23850 Vulnerability in maven package org.jenkins-ci.plugins:synopsys-coverity

CVE-2018-12536 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2023-46657 Vulnerability in maven package org.jenkins-ci.plugins:gogs-webhook

Severity

Critical

Classification

CWE-88 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H