CVE-2020-36326
First published: Wed Apr 28 2021(Updated: )
### Impact This is a reintroduction of an earlier issue (CVE-2018-19296) by an unrelated bug fix in PHPMailer 6.1.8. An external file may be unexpectedly executable if it is used as a path to an attachment file via PHP's support for `.phar` files`. Exploitation requires that an attacker is able to provide an unfiltered path to a file to attach, or to trick calling code into generating one. See [this article](https://knasmueller.net/5-answers-about-php-phar-exploitation) for more info. ### Patches This issue was patched in the PHPMailer 6.4.1 release. This release also implements stricter filtering for attachment paths; paths that look like *any* kind of URL are rejected. ### Workarounds Validate paths to loaded files using the same pattern as used in [`isPermittedPath()`](https://github.com/PHPMailer/PHPMailer/blob/master/src/PHPMailer.php#L1815) before using them in *any* PHP file function, such as `file_exists`. This method can't be used directly because it is protected, but you can implement the same thing in calling code. Note that this should be applied to *all* user-supplied paths passed into such functions; it's not a problem specific to PHPMailer. ### Credit This issue was found by Fariskhi Vidyan, reported and managed via Tidelift.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| composer/phpmailer/phpmailer | >=6.1.8<6.4.1 | 6.4.1 |
| Phpmailer Project Phpmailer | >=6.1.8<=6.4.0 | |
| WordPress WordPress | >=3.7<3.7.36 | |
| WordPress WordPress | >=3.8<3.8.36 | |
| WordPress WordPress | >=3.9<3.9.34 | |
| WordPress WordPress | >=4.0<4.0.33 | |
| WordPress WordPress | >=4.1<4.1.33 | |
| WordPress WordPress | >=4.2<4.2.30 | |
| WordPress WordPress | >=4.3<4.3.26 | |
| WordPress WordPress | >=4.4<4.4.25 | |
| WordPress WordPress | >=4.5<4.5.24 | |
| WordPress WordPress | >=4.6<4.6.21 | |
| WordPress WordPress | >=4.7<4.7.21 | |
| WordPress WordPress | >=4.8<4.8.17 | |
| WordPress WordPress | >=4.9<4.9.18 | |
| WordPress WordPress | >=5.0<5.0.13 | |
| WordPress WordPress | >=5.1<5.1.10 | |
| WordPress WordPress | >=5.2<5.2.11 | |
| WordPress WordPress | >=5.3<5.3.8 | |
| WordPress WordPress | >=5.4<5.4.6 | |
| WordPress WordPress | >=5.5<5.5.5 | |
| WordPress WordPress | >=5.6<5.6.4 | |
| WordPress WordPress | >=5.7<5.7.2 | |
| composer/phpmailer/phpmailer | >=6.1.8<6.4.1 | 6.4.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1
- https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
- https://github.com/PHPMailer/PHPMailer/security/advisories/GHSA-m298-fh5c-jc66
- https://nvd.nist.gov/vuln/detail/CVE-2020-36326
- https://github.com/FriendsOfPHP/security-advisories/blob/master/phpmailer/phpmailer/CVE-2020-36326.yaml
- https://github.com/advisories/GHSA-m298-fh5c-jc66 (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPU66INRFY5BQ3ESVPRUXJR4DXQAFJVT/
Frequently Asked Questions
What is CVE-2020-36326?
CVE-2020-36326 is a vulnerability that allows object injection via a local phar file in PHPMailer 6.1.8 through 6.4.0.
What is the severity of CVE-2020-36326?
CVE-2020-36326 has a severity level of 9.8, which is classified as critical.
Which software versions are affected by CVE-2020-36326?
CVE-2020-36326 affects PHPMailer versions 6.1.8 through 6.4.0, as well as certain versions of WordPress.
How can I fix CVE-2020-36326?
To fix CVE-2020-36326, you should update PHPMailer to version 6.4.1. For WordPress, update to the latest version available.
Where can I find more information about CVE-2020-36326?
You can find more information about CVE-2020-36326 in the references provided: [link1](https://github.com/PHPMailer/PHPMailer/releases/tag/v6.4.1), [link2](https://github.com/PHPMailer/PHPMailer/commit/e2e07a355ee8ff36aba21d0242c5950c56e4c6f9), [link3](https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3B5WDPGUFNPG4NAZ6G4BZX43BKLAVA5B/)
- collector/friends-of-php
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m298-fh5c-jc66
- alias/CVE-2020-36326
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/softwarecombine
- agent/last-modified-date
- agent/severity
- agent/description
- agent/references
- agent/author
- collector/github-advisory
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/composer
- vendor/phpmailer project
- canonical/phpmailer project phpmailer
- version/phpmailer project phpmailer/6.1.8
- version/phpmailer project phpmailer/6.4.0
- vendor/wordpress
- canonical/wordpress wordpress
- version/wordpress wordpress/3.7
- version/wordpress wordpress/3.8
- version/wordpress wordpress/3.9
- version/wordpress wordpress/4.0
- version/wordpress wordpress/4.1
- version/wordpress wordpress/4.2
- version/wordpress wordpress/4.3
- version/wordpress wordpress/4.4
- version/wordpress wordpress/4.5
- version/wordpress wordpress/4.6
- version/wordpress wordpress/4.7
- version/wordpress wordpress/4.8
- version/wordpress wordpress/4.9
- version/wordpress wordpress/5.0
- version/wordpress wordpress/5.1
- version/wordpress wordpress/5.2
- version/wordpress wordpress/5.3
- version/wordpress wordpress/5.4
- version/wordpress wordpress/5.5
- version/wordpress wordpress/5.6
- version/wordpress wordpress/5.7