Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZjMnAtcjQ2eC1tM3Z4

Argument injection in lettre

Impact

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.

Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features).

NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

Fix

The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses.

References

Permalink: https://github.com/advisories/GHSA-vc2p-r46x-m3vx
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXZjMnAtcjQ2eC1tM3Z4
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 11 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Identifiers: GHSA-vc2p-r46x-m3vx, CVE-2020-28247
References:

Repository: https://github.com/lettre/lettre
Blast Radius: 14.6

Affected Packages

cargo:lettre

Dependent packages: 110
Dependent repositories: 564
Downloads: 2,266,091 total
Affected Version Ranges: >= 0.7.0, < 0.7.1, >= 0.8.0, < 0.8.4, >= 0.9.0, < 0.9.5
Fixed in: 0.7.1, 0.8.4, 0.9.5
All affected versions: 0.7.0, 0.8.0, 0.8.1, 0.8.2, 0.8.3, 0.9.0, 0.9.1, 0.9.2, 0.9.3
All unaffected versions: 0.4.0, 0.5.0, 0.5.1, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.1, 0.8.4, 0.9.5, 0.9.6, 0.10.0, 0.10.1, 0.10.2, 0.10.3, 0.10.4, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.11.7