Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00cXBqLWd4eGctanFnNM4AA8jN
Swiftmailer Sendmail transport arbitrary shell execution
Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the "From" header came from a non-trusted source and no "Return-Path" is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00cXBqLWd4eGctanFnNM4AA8jN
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: 6 months ago
Updated: 6 months ago
Identifiers: GHSA-4qpj-gxxg-jqg4
References:
- https://github.com/swiftmailer/swiftmailer/commit/b4b78af55e5e87f5ff07c06c6be7963c44562f80
- https://github.com/swiftmailer/swiftmailer/commit/efc430606a5faed864b969adfbdc5363ce2115a2
- https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/2014-06-13.yaml
- https://web.archive.org/web/20150219063146/http://blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released
- http://blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released
- https://github.com/advisories/GHSA-4qpj-gxxg-jqg4
Blast Radius: 0.0
Affected Packages
packagist:swiftmailer/swiftmailer
Dependent packages: 1,108Dependent repositories: 452,482
Downloads: 403,997,826 total
Affected Version Ranges: >= 4.0.0, < 5.2.1
Fixed in: 5.2.1
All affected versions: 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2.0, 4.2.1, 4.2.2, 4.3.0, 4.3.1, 5.0.0, 5.0.1, 5.0.2, 5.0.3, 5.1.0, 5.2.0
All unaffected versions: 5.2.1, 5.2.2, 5.3.0, 5.3.1, 5.4.0, 5.4.1, 5.4.2, 5.4.3, 5.4.4, 5.4.5, 5.4.6, 5.4.7, 5.4.8, 5.4.9, 5.4.10, 5.4.11, 5.4.12, 6.0.0, 6.0.1, 6.0.2, 6.1.0, 6.1.1, 6.1.2, 6.1.3, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.3.0