GHSA-m298-fh5c-jc66

Suggest an improvement
Source
https://github.com/advisories/GHSA-m298-fh5c-jc66
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/05/GHSA-m298-fh5c-jc66/GHSA-m298-fh5c-jc66.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-m298-fh5c-jc66
Aliases
Published
2021-05-04T17:42:13Z
Modified
2024-02-17T05:23:34.249370Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Object injection in PHPMailer/PHPMailer
Details

Impact

This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for .phar files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See this article for more info.

Patches

This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like any kind of URL are rejected.

Workarounds

Validate paths to loaded files using the same pattern as used in isPermittedPath() before using them in any PHP file function, such as file_exists. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to all user-supplied paths passed into such functions; it's not a problem specific to PHPMailer.

Credit

This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.

Database specific
{
    "nvd_published_at": "2021-04-28T03:15:00Z",
    "cwe_ids": [
        "CWE-502",
        "CWE-641"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-30T19:41:24Z"
}
References

Affected packages

Packagist / phpmailer/phpmailer

Package

Name
phpmailer/phpmailer
Purl
pkg:composer/phpmailer/phpmailer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.1.8
Fixed
6.4.1

Affected versions

v6.*

v6.1.8
v6.2.0
v6.3.0
v6.4.0