GHSA-vc2p-r46x-m3vx

Source

https://github.com/advisories/GHSA-vc2p-r46x-m3vx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vc2p-r46x-m3vx/GHSA-vc2p-r46x-m3vx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-vc2p-r46x-m3vx

Aliases

Published

2021-08-25T20:56:48Z

Modified

2023-11-08T04:03:24.160094Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

Argument injection in lettre

Details

Impact

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.

Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features).

NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

Fix

The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses.

References

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:59:57Z"
}

References

Affected packages

crates.io / lettre

Package

Name: lettre; View open source insights on deps.dev
Purl: pkg:cargo/lettre

Affected ranges

Type: SEMVER
Events: Introduced

0.9.0

Fixed

0.9.5

Ecosystem specific

{
    "affected_functions": [
        "lettre::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send_raw"
    ]
}

crates.io / lettre

Package

Name: lettre; View open source insights on deps.dev
Purl: pkg:cargo/lettre

Affected ranges

Type: SEMVER
Events: Introduced

0.8.0

Fixed

0.8.4

Ecosystem specific

{
    "affected_functions": [
        "lettre::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send_raw"
    ]
}

crates.io / lettre

Package

Name: lettre; View open source insights on deps.dev
Purl: pkg:cargo/lettre

Affected ranges

Type: SEMVER
Events: Introduced

0.7.0

Fixed

0.7.1

Ecosystem specific

{
    "affected_functions": [
        "lettre::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send_raw"
    ]
}