{"id":"RUSTSEC-2021-0069","summary":"SMTP command injection in body","details":"Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.\n\nThe flaw is fixed by correctly handling consecutive CRLF sequences.","aliases":["CVE-2021-38189","GHSA-qc36-q22q-cjw3"],"modified":"2023-11-08T04:06:25.799670Z","published":"2021-05-22T12:00:00Z","database_specific":{"license":"CC0-1.0"},"references":[{"type":"PACKAGE","url":"https://crates.io/crates/lettre"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2021-0069.html"},{"type":"WEB","url":"https://github.com/lettre/lettre/pull/627/commits/93458d01fed0ec81c0e7b4e98e6f35961356fae2"}],"affected":[{"package":{"name":"lettre","ecosystem":"crates.io","purl":"pkg:cargo/lettre"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0.7.0"},{"fixed":"0.9.6"},{"introduced":"0.10.0-alpha.1"},{"fixed":"0.10.0-rc.3"}]}],"ecosystem_specific":{"affects":{"functions":["lettre::smtp::SmtpTransport::send","lettre::transport::smtp::SmtpTransport::send","lettre::transport::smtp::SmtpTransport::send_raw"],"os":[],"arch":[]},"affected_functions":null},"database_specific":{"informational":null,"source":"https://github.com/rustsec/advisory-db/blob/osv/crates/RUSTSEC-2021-0069.json","cvss":null,"categories":["format-injection"]}}],"schema_version":"1.7.3"}