GHSA-4qpj-gxxg-jqg4

Suggest an improvement
Source
https://github.com/advisories/GHSA-4qpj-gxxg-jqg4
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-4qpj-gxxg-jqg4/GHSA-4qpj-gxxg-jqg4.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-4qpj-gxxg-jqg4
Published
2024-05-29T13:13:16Z
Modified
2024-12-04T05:34:02.303434Z
Summary
Swiftmailer Sendmail transport arbitrary shell execution
Details

Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the "From" header came from a non-trusted source and no "Return-Path" is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-29T13:13:16Z"
}
References

Affected packages

Packagist / swiftmailer/swiftmailer

Package

Name
swiftmailer/swiftmailer
Purl
pkg:composer/swiftmailer/swiftmailer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
5.2.1

Affected versions

4.*

4.1.3
4.1.4
4.1.5
4.1.6
4.1.7

v4.*

v4.1.8
v4.2.0
v4.2.1
v4.2.2
v4.3.0
v4.3.1

v5.*

v5.0.0
v5.0.1
v5.0.2
v5.0.3
v5.1.0
v5.2.0