Home > Vulnerability Database > WS-2021-0117

Mend.io Vulnerability Database

WS-2021-0117

Good to know:

Date: May 22, 2021

Lettre is vulnerable from version 0.7.0. Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it. The flaw is fixed by correctly handling consecutive CRLF sequences. The issue has been fixed in versions 0.9.6 and 0.10.0.

Language: RUST

Severity Score

5.5

Related Resources (2)

Url: https://github.com/lettre/lettre/commit/93458d01fed0ec81c0e7b4e98e6f35961356fae2

Url: https://www.mend.io/vulnerability-database/WS-2021-0117

Severity Score

5.5

Weakness Type (CWE)

Command Injection

CWE-77

Injection

CWE-74

Top Fix

Upgrade Version

Upgrade to version lettre - 0.9.6,0.10.0-rc.3

Learn More

CVSS v3.1

Base Score:	5.5
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	UNCHANGED
Confidentiality (C):	NONE
Integrity (I):	NONE
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2021-0117

Good to know:

Date: May 22, 2021

Language: RUST

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?