Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00cXBqLWd4eGctanFnNM4AA8jN

Swiftmailer Sendmail transport arbitrary shell execution

Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the "From" header came from a non-trusted source and no "Return-Path" is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.

Permalink: https://github.com/advisories/GHSA-4qpj-gxxg-jqg4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cXBqLWd4eGctanFnNM4AA8jN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 months ago
Updated: 6 months ago


Identifiers: GHSA-4qpj-gxxg-jqg4
References: Repository: https://github.com/swiftmailer/swiftmailer
Blast Radius: 0.0

Affected Packages

packagist:swiftmailer/swiftmailer
Dependent packages: 1,108
Dependent repositories: 452,482
Downloads: 405,016,880 total
Affected Version Ranges: >= 4.0.0, < 5.2.1
Fixed in: 5.2.1
All affected versions: 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.2.0
All unaffected versions: 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.3.0