GHSA-r9mw-gwx9-v3h5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-r9mw-gwx9-v3h5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9mw-gwx9-v3h5/GHSA-r9mw-gwx9-v3h5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-r9mw-gwx9-v3h5
- Aliases
- Published
- 2022-05-14T02:19:49Z
- Modified
- 2024-04-23T23:26:47.206953Z
- Severity
-
- 9.8 (Critical) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- zend-mail remote code execution via Sendmail adapter
- Details
-
The setFrom function in the Sendmail adapter in the zend-mail component before 2.4.11, 2.5.x, 2.6.x, and 2.7.x before 2.7.2, and Zend Framework before 2.4.11 might allow remote attackers to pass extra parameters to the mail command and consequently execute arbitrary code via a \" (backslash double quote) in a crafted e-mail address.
- Database specific
{ "nvd_published_at": "2016-12-30T19:59:00Z", "cwe_ids": [ "CWE-77" ], "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2024-04-23T23:13:13Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2016-10034
- https://framework.zend.com/security/advisory/ZF2016-04
- https://github.com/zendframework/zend-mail
- https://legalhackers.com/advisories/ZendFramework-Exploit-ZendMail-Remote-Code-Exec-CVE-2016-10034-Vuln.html
- https://security.gentoo.org/glsa/201804-10
- https://www.exploit-db.com/exploits/40979
- https://www.exploit-db.com/exploits/40986
- https://www.exploit-db.com/exploits/42221
- http://www.securityfocus.com/bid/95144
- http://www.securitytracker.com/id/1037539
Affected packages
Packagist / zendframework/zend-mail
Package
- Name
- zendframework/zend-mail
- Purl
- pkg:composer/zendframework/zend-mail
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.4.11
Affected versions
2.*
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.5
2.1.6
2.2.0rc1
2.2.0rc2
2.2.0rc3
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5
2.2.6
2.2.7
2.2.8
2.2.9
2.2.10
2.3.0
2.3.1
2.3.2
2.3.3
2.3.4
2.3.5
2.3.6
2.3.7
2.3.8
2.3.9
2.4.0rc1
2.4.0rc2
2.4.0rc3
2.4.0rc4
2.4.0rc5
2.4.0rc6
2.4.0rc7
2.4.0
2.4.1
2.4.2
2.4.3
2.4.4
2.4.5
2.4.6
2.4.7
2.4.8
2.4.9
2.4.10
Packagist / zendframework/zend-mail
Package
- Name
- zendframework/zend-mail
- Purl
- pkg:composer/zendframework/zend-mail
Packagist / zendframework/zend-mail
Package
- Name
- zendframework/zend-mail
- Purl
- pkg:composer/zendframework/zend-mail
Packagist / zendframework/zend-mail
Package
- Name
- zendframework/zend-mail
- Purl
- pkg:composer/zendframework/zend-mail