CVE-2021-23400

high

Description

The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.

References

Advisories
More

https://github.com/nodemailer/nodemailer/issues/1289

https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f

https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415

https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737

Details

Source: Mitre, NVD

Published: 2021-06-29

Updated: 2021-07-06

Risk Information

CVSS v2

Base Score: 6.8

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Severity: High

EPSS

EPSS: 0.00536

Detections

Analytics