Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjMzYtcTIycS1jancz
SMTP command injection in lettre
Impact
Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.
Fix
The flaw is fixed by correctly handling consecutive CRLF sequences.
References
Permalink: https://github.com/advisories/GHSA-qc36-q22q-cjw3JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXFjMzYtcTIycS1jancz
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 3 years ago
Updated: almost 2 years ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Percentage: 0.0032
EPSS Percentile: 0.70196
Identifiers: GHSA-qc36-q22q-cjw3, CVE-2021-38189
References:
- https://github.com/lettre/lettre/security/advisories/GHSA-qc36-q22q-cjw3
- https://github.com/lettre/lettre/commit/8bfc20506cc5e098fe6eb3d1cafe3bea791215ce
- https://rustsec.org/advisories/RUSTSEC-2021-0069.html
- https://github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2
- https://github.com/advisories/GHSA-qc36-q22q-cjw3
Blast Radius: 27.0
Affected Packages
cargo:lettre
Dependent packages: 132Dependent repositories: 564
Downloads: 3,476,829 total
Affected Version Ranges: >= 0.7.0, < 0.9.6
Fixed in: 0.9.6
All affected versions: 0.7.0, 0.7.1, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.8.4, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.5
All unaffected versions: 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.9.6, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7, 0.11.8, 0.11.9, 0.11.10, 0.11.11