{"id":"RUSTSEC-2020-0069","summary":"Argument injection in sendmail transport","details":"Affected versions of lettre allowed argument injection\nto the sendmail command. It was possible, using forged `to` addresses,\nto pass arbitrary arguments to the sendmail executable.\n\nDepending on the implementation (original sendmail, postfix, exim, etc.)\nit could be possible in some cases to write email data into arbitrary files (using sendmail's\nlogging features).\n \nThe flaw is corrected by modifying the executed command to stop parsing arguments\nbefore passing the destination addresses.\n\nNOTE: This vulnerability only affects the `sendmail` transport. Others, including `smtp`, are not\naffected.\n\nThis vulnerability was reported by vin01.","aliases":["CVE-2020-28247","GHSA-vc2p-r46x-m3vx"],"modified":"2023-11-08T04:03:24.160094Z","published":"2020-11-11T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/lettre"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2020-0069.html"},{"type":"WEB","url":"https://github.com/lettre/lettre/pull/508/commits/bbe7cc5381c5380b54fb8bbb4f77a3725917ff0b"}],"affected":[{"package":{"name":"lettre","ecosystem":"crates.io","purl":"pkg:cargo/lettre"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.7.0"},{"fixed":"0.7.1"},{"introduced":"0.8.0"},{"fixed":"0.8.4"},{"introduced":"0.9.0"},{"fixed":"0.9.5"},{"introduced":"0.10.0-alpha.1"},{"fixed":"0.10.0-alpha.4"}]}],"ecosystem_specific":{"affects":{"arch":[],"os":[],"functions":["lettre::sendmail::SendmailTransport::send","lettre::transport::sendmail::SendmailTransport::send","lettre::transport::sendmail::SendmailTransport::send_raw"]},"affected_functions":null},"database_specific":{"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2020-0069.json","cvss":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N","informational":null,"categories":["code-execution","file-disclosure"]}}],"schema_version":"1.7.3","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}