- Reported
-
- Issued
-
- Package
-
lettre
(crates.io)
- Type
-
Vulnerability
- Categories
-
- Keywords
-
#email
#smtp
- Aliases
-
- Details
-
https://github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2
- Patched
-
>=0.10.0-rc.3
<0.10.0-alpha.1, >=0.9.6
- Unaffected
-
- Affected Functions
- Version
lettre::smtp::SmtpTransport::send
-
lettre::transport::smtp::SmtpTransport::send
-
>=0.10.0-alpha.1, <0.10.0-rc.3
lettre::transport::smtp::SmtpTransport::send_raw
-
>=0.10.0-alpha.1, <0.10.0-rc.3
Description
Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.
The flaw is fixed by correctly handling consecutive CRLF sequences.