CVE-2021-23400

NameCVE-2021-23400
DescriptionThe package nodemailer before 6.6.1 are vulnerable to HTTP Header Injection if unsanitized user input that may contain newlines and carriage returns is passed into an address object.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs990485

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
node-nodemailer (PTS)bullseye6.4.17-3fixed
bookworm6.8.0+~6.4.6-1fixed
trixie6.10.0+~6.4.17-1fixed
forky, sid7.0.10+~7.0.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
node-nodemailersource(unstable)6.4.17-3990485

Notes

https://github.com/nodemailer/nodemailer/commit/7e02648cc8cd863f5085bad3cd09087bccf84b9f
https://github.com/nodemailer/nodemailer/issues/1289
https://snyk.io/vuln/SNYK-JS-NODEMAILER-1296415
Search for package or bug name: Reporting problems