Input validation error in Debian Linux - CVE-2015-8476
Published: December 16, 2015 / Updated: August 9, 2020
Vulnerability identifier: #VU40577
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2015-8476
CWE-ID: CWE-20
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Debian
Affected software:
Debian Linux
Debian Linux
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to manipulate data.
Multiple CRLF injection vulnerabilities in PHPMailer before 5.2.14 allow attackers to inject arbitrary SMTP commands via CRLF sequences in an (1) email address to the validateAddress function in class.phpmailer.php or (2) SMTP command to the sendCommand function in class.smtp.php, a different vulnerability than CVE-2012-0796.
How to mitigate CVE-2015-8476
Install update from vendor's website.
Sources
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177130.html
- http://lists.fedoraproject.org/pipermail/package-announce/2016-February/177139.html
- http://www.debian.org/security/2015/dsa-3416
- http://www.openwall.com/lists/oss-security/2015/12/04/5
- http://www.openwall.com/lists/oss-security/2015/12/05/1
- http://www.securityfocus.com/bid/78619
- https://github.com/PHPMailer/PHPMailer/commit/6687a96a18b8f12148881e4ddde795ae477284b0
- https://github.com/PHPMailer/PHPMailer/releases/tag/v5.2.14