Vulnerability Description
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
CVSS Score
8.6
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Nodemailer | Nodemailer | < 6.4.16 |
Related Weaknesses (CWE)
References
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fbBroken LinkThird Party Advisory
- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45aPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742ExploitPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834ExploitPatchThird Party Advisory
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fbBroken LinkThird Party Advisory
- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45aPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742ExploitPatchThird Party Advisory
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834ExploitPatchThird Party Advisory
FAQ
What is CVE-2020-7769?
CVE-2020-7769 is a vulnerability with a CVSS score of 8.6 (HIGH). This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
How severe is CVE-2020-7769?
CVE-2020-7769 has been rated HIGH with a CVSS base score of 8.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7769?
Check the references section above for vendor advisories and patch information. Affected products include: Nodemailer Nodemailer.