rustsec-2020-0069
Vulnerability from osv_rustsec
Published
2020-11-11 12:00
Modified
2023-06-13 13:10
Summary
Argument injection in sendmail transport
Details

Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.

Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into arbitrary files (using sendmail's logging features).

The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses.

NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.

This vulnerability was reported by vin01.

To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "categories": [
          "code-execution",
          "file-disclosure"
        ],
        "cvss": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
        "informational": null
      },
      "ecosystem_specific": {
        "affected_functions": null,
        "affects": {
          "arch": [],
          "functions": [
            "lettre::sendmail::SendmailTransport::send",
            "lettre::transport::sendmail::SendmailTransport::send",
            "lettre::transport::sendmail::SendmailTransport::send_raw"
          ],
          "os": []
        }
      },
      "package": {
        "ecosystem": "crates.io",
        "name": "lettre",
        "purl": "pkg:cargo/lettre"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.7.0"
            },
            {
              "fixed": "0.7.1"
            },
            {
              "introduced": "0.8.0"
            },
            {
              "fixed": "0.8.4"
            },
            {
              "introduced": "0.9.0"
            },
            {
              "fixed": "0.9.5"
            },
            {
              "introduced": "0.10.0-alpha.1"
            },
            {
              "fixed": "0.10.0-alpha.4"
            }
          ],
          "type": "SEMVER"
        }
      ],
      "versions": []
    }
  ],
  "aliases": [
    "CVE-2020-28247",
    "GHSA-vc2p-r46x-m3vx"
  ],
  "database_specific": {
    "license": "CC0-1.0"
  },
  "details": "Affected versions of lettre allowed argument injection\nto the sendmail command. It was possible, using forged `to` addresses,\nto pass arbitrary arguments to the sendmail executable.\n\nDepending on the implementation (original sendmail, postfix, exim, etc.)\nit could be possible in some cases to write email data into arbitrary files (using sendmail\u0027s\nlogging features).\n \nThe flaw is corrected by modifying the executed command to stop parsing arguments\nbefore passing the destination addresses.\n\nNOTE: This vulnerability only affects the `sendmail` transport. Others, including `smtp`, are not\naffected.\n\nThis vulnerability was reported by vin01.",
  "id": "RUSTSEC-2020-0069",
  "modified": "2023-06-13T13:10:24Z",
  "published": "2020-11-11T12:00:00Z",
  "references": [
    {
      "type": "PACKAGE",
      "url": "https://crates.io/crates/lettre"
    },
    {
      "type": "ADVISORY",
      "url": "https://rustsec.org/advisories/RUSTSEC-2020-0069.html"
    },
    {
      "type": "WEB",
      "url": "https://github.com/lettre/lettre/pull/508/commits/bbe7cc5381c5380b54fb8bbb4f77a3725917ff0b"
    }
  ],
  "related": [],
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Argument injection in sendmail transport"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.