Description

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

Remediation

References

https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f

https://github.com/nodemailer/nodemailer/issues/1289

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415

Related Vulnerabilities

CVE-2020-24750 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-9488 Vulnerability in maven package org.apache.logging.log4j:log4j

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-shuffle_2.10

CVE-2021-40110 Vulnerability in maven package org.apache.james:james-server

CVE-2020-17519 Vulnerability in maven package org.apache.flink:flink-runtime_2.12

Severity

Critical

Classification

CWE-74 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Tags

Patch Third Party Advisory Exploit