CVE-2020-7769
Publication date 12 November 2020
Last updated 26 August 2025
Ubuntu priority
Description
This affects the package nodemailer before 6.4.16. Use of crafted recipient email addresses may result in arbitrary command flag injection in sendmail transport for sending mails.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| node-nodemailer | 25.10 questing |
Not affected
|
| 24.04 LTS noble |
Not affected
|
|
| 22.04 LTS jammy |
Not affected
|
|
| 20.04 LTS focal |
Vulnerable
|
|
| 18.04 LTS bionic | Not in release | |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.6 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity impact | Low |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H |
References
Other references
- https://github.com/nodemailer/nodemailer/blob/33b62e2ea6bc9215c99a9bb4bfba94e2fb27ebd0/lib/sendmail-transport/index.js%23L75
- https://github.com/nodemailer/nodemailer/commit/ba31c64c910d884579875c52d57ac45acc47aa54
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1039742
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1038834
- https://www.cve.org/CVERecord?id=CVE-2020-7769