GHSA-gff2-p6vm-3p8g

Source

https://github.com/advisories/GHSA-gff2-p6vm-3p8g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/06/GHSA-gff2-p6vm-3p8g/GHSA-gff2-p6vm-3p8g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gff2-p6vm-3p8g

Published

2024-06-07T20:47:30Z

Modified

2024-12-04T05:39:06.674820Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N CVSS Calculator

Summary

ZendFramework potential remote code execution in zend-mail via Sendmail adapter

Details

When using the zend-mail component to send email via the Zend\Mail\Transport\Sendmail transport, a malicious user may be able to inject arbitrary parameters to the system sendmail program. The attack is performed by providing additional quote characters within an address; when unsanitized, they can be interpreted as additional command line arguments, leading to the vulnerability.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-74"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-07T20:47:30Z"
}

References

Affected packages

Packagist / zendframework/zendframework

Package

Name: zendframework/zendframework
Purl: pkg:composer/zendframework/zendframework

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.0.0

Fixed

2.4.11

Affected versions

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.2.0rc1

2.2.0rc2

2.2.0rc3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.2.5

2.2.6

2.2.7

2.2.8

2.2.9

2.2.10

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.8

2.3.9

2.4.0rc1

2.4.0rc2

2.4.0rc3

2.4.0rc4

2.4.0rc5

2.4.0rc6

2.4.0rc7

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.4.6

2.4.7

2.4.8

2.4.9

2.4.10