CVE-2020-36326
published 2021-04-28CVE-2020-36326: PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to…
PriorityP351critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
3.09%
86.1th percentile
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Affected
24 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | libphp-phpmailer | < libphp-phpmailer 6.2.0-2 (bookworm) | libphp-phpmailer 6.2.0-2 (bookworm) |
| phpmailer | phpmailer | >= 6.1.8 < 6.4.1 | 6.4.1 |
| phpmailer_project | phpmailer | 6.1.8 – 6.4.0 | — |
| wordpress | wordpress | >= 3.7 < 3.7.36 | 3.7.36 |
| wordpress | wordpress | >= 3.8 < 3.8.36 | 3.8.36 |
| wordpress | wordpress | >= 3.9 < 3.9.34 | 3.9.34 |
| wordpress | wordpress | >= 4.0 < 4.0.33 | 4.0.33 |
| wordpress | wordpress | >= 4.1 < 4.1.33 | 4.1.33 |
| wordpress | wordpress | >= 4.2 < 4.2.30 | 4.2.30 |
| wordpress | wordpress | >= 4.3 < 4.3.26 | 4.3.26 |
| wordpress | wordpress | >= 4.4 < 4.4.25 | 4.4.25 |
| wordpress | wordpress | >= 4.5 < 4.5.24 | 4.5.24 |
| wordpress | wordpress | >= 4.6 < 4.6.21 | 4.6.21 |
| wordpress | wordpress | >= 4.7 < 4.7.21 | 4.7.21 |
| wordpress | wordpress | >= 4.8 < 4.8.17 | 4.8.17 |
| wordpress | wordpress | >= 4.9 < 4.9.18 | 4.9.18 |
| wordpress | wordpress | >= 5.0 < 5.0.13 | 5.0.13 |
| wordpress | wordpress | >= 5.1 < 5.1.10 | 5.1.10 |
| wordpress | wordpress | >= 5.2 < 5.2.11 | 5.2.11 |
| wordpress | wordpress | >= 5.3 < 5.3.8 | 5.3.8 |
| wordpress | wordpress | >= 5.4 < 5.4.6 | 5.4.6 |
| wordpress | wordpress | >= 5.5 < 5.5.5 | 5.5.5 |
| wordpress | wordpress | >= 5.6 < 5.6.4 | 5.6.4 |
| wordpress | wordpress | >= 5.7 < 5.7.2 | 5.7.2 |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
ghsa8.8HIGH
osv8.8HIGH
vendor_debian8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
WordPress
WordPress 5.7.2 Security Release
vendor_wordpress·2021-05-13·CVSS 8.8
CVE-2020-36326 [HIGH] WordPress 5.7.2 Security Release
Title: WordPress 5.7.2 Security Release
WordPress 5.7.2 is now available.
This security release features one security fix. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 3.7 have also been updated.
WordPress 5.7.2 is a short-cycle security release. The next major release will be version 5.8.
You can update to WordPress 5.7.2 by downloading from WordPress.org, or visit your Dashboard → Updates and click Update Now.
If you have sites that support automatic background updates, they’ve already started the update process.
Security Updates
One security issue affecting WordPress versions between 3.7 and 5.7. If you haven’t yet updated to 5.7, all WordPress versions since 3.7 have also been updated to fix the follow
Debian
CVE-2020-36326: libphp-phpmailer - PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserializati...
vendor_debian·2020·CVSS 8.8
CVE-2020-36326 [HIGH] CVE-2020-36326: libphp-phpmailer - PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserializati...
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
Scope: local
bookworm: resolved (fixed in 6.2.0-2)
bullseye: resolved (fixed in 6.2.0-2)
forky: resolved (fixed in 6.2.0-2)
sid: resolved (fixed in 6.2.0-2)
trixie: resolved (fixed in 6.2.0-2)
GHSA
Object injection in PHPMailer/PHPMailer
ghsa·2021-05-04·CVSS 8.8
CVE-2020-36326 [HIGH] CWE-502 Object injection in PHPMailer/PHPMailer
Object injection in PHPMailer/PHPMailer
### Impact
This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.
### Patches
This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.
### Workarounds
Validate paths to loaded files using the same pattern as used
OSV
Object injection in PHPMailer/PHPMailer
osv·2021-05-04·CVSS 8.8
CVE-2020-36326 [HIGH] Object injection in PHPMailer/PHPMailer
Object injection in PHPMailer/PHPMailer
### Impact
This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info.
### Patches
This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected.
### Workarounds
Validate paths to loaded files using the same pattern as used
OSV
CVE-2020-36326: PHPMailer 6
osv·2021-04-28·CVSS 8.8
CVE-2020-36326 [HIGH] CVE-2020-36326: PHPMailer 6
PHPMailer 6.1.8 through 6.4.0 allows object injection through Phar Deserialization via addAttachment with a UNC pathname. NOTE: this is similar to CVE-2018-19296, but arose because 6.1.8 fixed a functionality problem in which UNC pathnames were always considered unreadable by PHPMailer, even in safe contexts. As an unintended side effect, this fix eliminated the code that blocked addAttachment exploitation.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
2021-04-28
Published