VDB
CVE-2021-23400
CVE-2021-23400
PUBLISHED
The package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
EPSS 0.54% · 67.9th percentile
Risk Scores
EPSS Score
0.54%
67.9th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:20.04:LTS | node-nodemailer | 6.4.5-1, 0, 6.3.0-2 |
| Ubuntu:22.04:LTS | node-nodemailer | 6.4.17-3, 6.7.0-1, 6.7.0-2 |
Exploit Intelligence
Timeline
- Jun 29, 2021 CVE Published
- Jun 30, 2021 EPSS Score
- Jul 6, 2021 CVE Updated
- Aug 29, 2021 EPSS Score
- Oct 28, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 26, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- Jun 26, 2022 EPSS Score
- Aug 26, 2022 EPSS Score
- Oct 25, 2022 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-23400 third-party-advisory
- https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415 third-party-advisory
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1314737 third-party-advisory
- https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f third-party-advisory
- https://github.com/nodemailer/nodemailer/issues/1289 third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-23400 third-party-advisory