GHSA-vc2p-r46x-m3vx

Suggest an improvement
Source
https://github.com/advisories/GHSA-vc2p-r46x-m3vx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vc2p-r46x-m3vx/GHSA-vc2p-r46x-m3vx.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-vc2p-r46x-m3vx
Aliases
Published
2021-08-25T20:56:48Z
Modified
2023-11-08T04:03:24.160094Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
Argument injection in lettre
Details

Impact

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.

Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features).

NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

Fix

The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses.

References

Database specific
{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-08-18T20:59:57Z"
}
References

Affected packages

crates.io / lettre

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.9.0
Fixed
0.9.5

Ecosystem specific

{
    "affected_functions": [
        "lettre::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send_raw"
    ]
}

crates.io / lettre

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.8.0
Fixed
0.8.4

Ecosystem specific

{
    "affected_functions": [
        "lettre::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send_raw"
    ]
}

crates.io / lettre

Package

Affected ranges

Type
SEMVER
Events
Introduced
0.7.0
Fixed
0.7.1

Ecosystem specific

{
    "affected_functions": [
        "lettre::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send",
        "lettre::transport::sendmail::SendmailTransport::send_raw"
    ]
}