Fluid Attacks Database

Description

Swiftmailer Sendmail transport arbitrary shell execution Prior to 5.2.1, the sendmail transport (Swift_Transport_SendmailTransport) was vulnerable to an arbitrary shell execution if the "From" header came from a non-trusted source and no "Return-Path" is configured. This has been fixed in 5.2.1. If you are using sendmail as a transport, you are encouraged to upgrade as soon as possible.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
packagist	swiftmailer/swiftmailer	>=4.0.0 <5.2.1	5.2.1

Aliases

1. GCVE-GHSA-4qpj-gxxg-jqg4

References

1. https://github.com/swiftmailer/swiftmailer/commit/b4b78af55e5e87f5ff07c06c6be7963c44562f802. https://github.com/swiftmailer/swiftmailer/commit/efc430606a5faed864b969adfbdc5363ce2115a23. https://github.com/FriendsOfPHP/security-advisories/blob/master/swiftmailer/swiftmailer/2014-06-13.yaml4. https://web.archive.org/web/20150219063146/http://blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released5. http://blog.swiftmailer.org/post/88660759928/security-fix-swiftmailer-5-2-1-released

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.