GMS-2021-182: Remote command injection when using sendmail email transport

September 20, 2021

Impact

Sites using the sendmail transport as part of their mail config are vulnerable to remote command injection due to a vulnerability in the nodemailer dependency.

Ghost defaults to the direct transport so this is only exploitable if the sendmail transport is explicitly used.

Patches

Fixed in 4.15.0, all sites should upgrade as soon as possible.

Workarounds

Use an alternative email transport as described in the docs.

For more information

If you have any questions or comments about this advisory:

email us at security@ghost.org

References

github.com/TryGhost/Ghost/security/advisories/GHSA-wfrj-qqc2-83cm
github.com/advisories/GHSA-48ww-j4fc-435p
github.com/advisories/GHSA-wfrj-qqc2-83cm

Code Behaviors & Features

Detect and mitigate GMS-2021-182 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →