search

mellowagain / gitarena

Software development platform with built-in vcs, issue tracking and code review
MIT License
86 stars 11 forks source link

RUSTSEC-2021-0069: SMTP command injection in body #38

Closed github-actions[bot] closed 2 years ago

github-actions[bot] commented 2 years ago

SMTP command injection in body

Details
Package lettre
Version 0.10.0-beta.4
URL https://github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2
Date 2021-05-22
Patched versions >=0.10.0-rc.3,<0.10.0-alpha.1, >=0.9.6
Unaffected versions <0.7.0

Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.

The flaw is fixed by correctly handling consecutive CRLF sequences.

See advisory page for additional details.

mellowagain commented 2 years ago

Fixed by upgrading to lettre 0.10.0-rc.4 in c8c53a7.