CVE-2020-28247 – lettre

Package

Manager: cargo
Name: lettre
Vulnerable Version: >=0.9.0 <0.9.5 || >=0.8.0 <0.8.4 || >=0.7.0 <0.7.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0026 pctl0.49131

Details

Argument injection in lettre ### Impact Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable. Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail's logging features). *NOTE*: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected. ### Fix The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses. ### References * [RUSTSEC-2020-0069](https://rustsec.org/advisories/RUSTSEC-2020-0069.html) * [CVE-2020-28247](https://nvd.nist.gov/vuln/detail/CVE-2020-28247)

Metadata

Created: 2021-08-25T20:56:48Z
Modified: 2021-08-18T20:59:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/08/GHSA-vc2p-r46x-m3vx/GHSA-vc2p-r46x-m3vx.json
CWE IDs: ["CWE-77"]
Alternative ID: GHSA-vc2p-r46x-m3vx
Finding: F422
Auto approve: 1