SMTP command injection
Package
lettre
(crates.io)
Affected versions
<0.10.0-rc.3 <0.9.6 0.8 0.7
Patched versions
0.10.0-rc.3 0.9.6
Description
Credits
-
paolobarbolini Analyst
paolobarbolini
Analyst
Impact
Affected versions of lettre allowed SMTP command injection through an attacker's controlled message body. The module for escaping lines starting with a period wouldn't catch a period that was placed after a double CRLF sequence, allowing the attacker to end the current message and write arbitrary SMTP commands after it.
Fix
The flaw is fixed by correctly handling consecutive CRLF sequences.
References