Candidate: CVE-2020-7769
PublicDate: 2020-11-12 09:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7769
 https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75
 https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
 https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
 https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
Description:
 This affects the package nodemailer before 6.4.16. Use of crafted recipient
 email addresses may result in arbitrary command flag injection in sendmail
 transport for sending mails.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by: Vineet Kumar
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]


Patches_node-nodemailer:
 upstream: https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
upstream_node-nodemailer: needs-triage
precise/esm_node-nodemailer: DNE
trusty_node-nodemailer: ignored (out of standard support)
trusty/esm_node-nodemailer: DNE
xenial_node-nodemailer: DNE
bionic_node-nodemailer: DNE
focal_node-nodemailer: needed
groovy_node-nodemailer: ignored (reached end-of-life)
hirsute_node-nodemailer: not-affected (6.4.16-1)
impish_node-nodemailer: not-affected (6.4.16-1)
jammy_node-nodemailer: not-affected (6.4.16-1)
devel_node-nodemailer: not-affected (6.4.16-1)