An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two <CR><LF> sequences and then inject arbitrary SMTP commands.
{
"unresolved_ranges": [
{
"extracted_events": [
{
"introduced": "0.10.0-alpha1"
},
{
"last_affected": "0.10.0-alpha1"
},
{
"introduced": "0.10.0-alpha2"
},
{
"last_affected": "0.10.0-alpha2"
},
{
"introduced": "0.10.0-alpha3"
},
{
"last_affected": "0.10.0-alpha3"
},
{
"introduced": "0.10.0-alpha4"
},
{
"last_affected": "0.10.0-alpha4"
},
{
"introduced": "0.10.0-alpha5"
},
{
"last_affected": "0.10.0-alpha5"
},
{
"introduced": "0.10.0-beta1"
},
{
"last_affected": "0.10.0-beta1"
},
{
"introduced": "0.10.0-beta2"
},
{
"last_affected": "0.10.0-beta2"
},
{
"introduced": "0.10.0-beta3"
},
{
"last_affected": "0.10.0-beta3"
},
{
"introduced": "0.10.0-beta4"
},
{
"last_affected": "0.10.0-beta4"
},
{
"introduced": "0.10.0-rc1"
},
{
"last_affected": "0.10.0-rc1"
},
{
"introduced": "0.10.0-rc2"
},
{
"last_affected": "0.10.0-rc2"
}
],
"source": "CPE_STRING",
"vendor_product": "lettre:lettre",
"cpes": [
"cpe:2.3:a:lettre:lettre:0.10.0:alpha1:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:alpha2:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:alpha3:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:alpha4:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:alpha5:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:beta1:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:beta2:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:beta3:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:beta4:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:rc1:*:*:*:rust:*:*",
"cpe:2.3:a:lettre:lettre:0.10.0:rc2:*:*:*:rust:*:*"
]
}
]
}