{"id":"CVE-2021-38189","details":"An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two \u003cCR\u003e\u003cLF\u003e sequences and then inject arbitrary SMTP commands.","aliases":["GHSA-qc36-q22q-cjw3","RUSTSEC-2021-0069"],"modified":"2026-04-10T04:36:30.336157Z","published":"2021-08-08T06:15:08.893Z","references":[{"type":"ADVISORY","url":"https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/lettre/RUSTSEC-2021-0069.md"},{"type":"FIX","url":"https://rustsec.org/advisories/RUSTSEC-2021-0069.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/lettre/lettre","events":[{"introduced":"0"},{"fixed":"5e474677f9b9a7c68066fc5c9f6b6ec36f52c391"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.9.6"}]}}],"versions":["v0.0.11","v0.0.13","v0.0.9","v0.1.0","v0.1.1","v0.1.2","v0.2.0","v0.3.0","v0.4.0","v0.5.0","v0.5.1","v0.6.0","v0.7.0","v0.8.0","v0.9.0","v0.9.1","v0.9.2","v0.9.3","v0.9.4","v0.9.5"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"0.10.0-alpha1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-alpha2"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-alpha3"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-alpha4"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-alpha5"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-beta1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-beta2"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-beta3"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-beta4"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-rc1"}]},{"events":[{"introduced":"0"},{"last_affected":"0.10.0-rc2"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-38189.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}