Skip to content

SMTP command injection

High
amousset published GHSA-qc36-q22q-cjw3 May 22, 2021

Package

lettre (crates.io)

Affected versions

<0.10.0-rc.3 <0.9.6 0.8 0.7

Patched versions

0.10.0-rc.3 0.9.6

Description

Impact

Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.

Fix

The flaw is fixed by correctly handling consecutive CRLF sequences.

References

Severity

High

CVE ID

No known CVE

Weaknesses

Improper Neutralization of Input Terminators

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as input terminators when they are sent to a downstream component. Learn more on MITRE.

Credits