Lucene search

Debian Security Bug TrackerDEBIANCVE:CVE-2021-3603

HistoryJun 17, 2021 - 12:15 p.m.

CVE-2021-3603

2021-06-1712:15:08

Debian Security Bug Tracker

security-tracker.debian.org

phpmailer

vulnerability

untrusted code

injection

host project

scope

validator

function names

mitigation

php

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

8.1

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.7%

JSON

PHPMailer 6.4.1 and earlier contain a vulnerability that can result in untrusted code being called (if such code is injected into the host project’s scope by other means). If the $patternselect parameter to validateAddress() is set to ‘php’ (the default, defined by PHPMailer::$validator), and the global namespace contains a function called php, it will be called in preference to the built-in validator of the same name. Mitigated in PHPMailer 6.5.0 by denying the use of simple strings as validator function names.

OSVersionArchitecturePackageVersionFilename
Debian12alllibphp-phpmailer< 6.6.3-1libphp-phpmailer_6.6.3-1_all.deb
Debian11alllibphp-phpmailer<= 6.2.0-2libphp-phpmailer_6.2.0-2_all.deb
Debian999alllibphp-phpmailer< 6.6.3-1libphp-phpmailer_6.6.3-1_all.deb
Debian13alllibphp-phpmailer< 6.6.3-1libphp-phpmailer_6.6.3-1_all.deb

OS	Version	Architecture	Package	Version	Filename
Debian	12	all	libphp-phpmailer	< 6.6.3-1	libphp-phpmailer_6.6.3-1_all.deb
Debian	11	all	libphp-phpmailer	<= 6.2.0-2	libphp-phpmailer_6.2.0-2_all.deb
Debian	999	all	libphp-phpmailer	< 6.6.3-1	libphp-phpmailer_6.6.3-1_all.deb
Debian	13	all	libphp-phpmailer	< 6.6.3-1	libphp-phpmailer_6.6.3-1_all.deb