CVE-2021-38189: SMTP command injection in lettre
(updated )
Affected versions of lettre allowed SMTP command injection through an attacker’s controlled message body. The module for escaping lines starting with a period wouldn’t catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.
References
- github.com/advisories/GHSA-qc36-q22q-cjw3
- github.com/lettre/lettre
- github.com/lettre/lettre/commit/8bfc20506cc5e098fe6eb3d1cafe3bea791215ce
- github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2
- github.com/lettre/lettre/security/advisories/GHSA-qc36-q22q-cjw3
- nvd.nist.gov/vuln/detail/CVE-2021-38189
- rustsec.org/advisories/RUSTSEC-2021-0069.html
Detect and mitigate CVE-2021-38189 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →