-
-
Notifications
You must be signed in to change notification settings - Fork 221
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add CVE-2015-9096 for Ruby Net::SMTP command injection.
Migrate Mail OSVDB-131677 to CVE-2015-9097.
- Loading branch information
Showing
3 changed files
with
44 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
--- | ||
gem: mail | ||
cve: CVE-2015-9097 | ||
url: https://hackerone.com/reports/137631 | ||
title: SMTP command injection | ||
date: 2015-12-09 | ||
description: | | ||
Because Mail does not disallow CRLF in email addresses, an attacker can | ||
inject SMTP commands in specially crafted email addresses passed to | ||
RCPT TO and MAIL FROM. | ||
Not affected by this vulnerability: | ||
* Ruby 2.4.0+ with a fix for CVE-2015-9096. | ||
* Applications that do not use SMTP delivery. | ||
* Applications that validate email addresses to not include CRLF. | ||
The injection attack is described in Terada, Takeshi. "SMTP Injection via | ||
Recipient Email Addresses." 2015. The attacks described in the paper | ||
(Terada, p. 4) can be applied to the library without any modification. | ||
patched_versions: | ||
- ">= 2.5.5" | ||
related: | ||
url: | ||
- http://www.mbsd.jp/Whitepaper/smtpi.pdf | ||
- https://github.com/mikel/mail/pull/1097 |
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
--- | ||
engine: ruby | ||
cve: CVE-2015-9096 | ||
url: https://hackerone.com/reports/137631 | ||
title: SMTP command injection | ||
date: 2015-12-09 | ||
description: | | ||
Net::SMTP is vulnerable to SMTP command injection via CRLF sequences | ||
in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences | ||
immediately before and after a DATA substring. | ||
Applications that validate email address format are not affected by this | ||
vulnerability. | ||
The injection attack is described in Terada, Takeshi. "SMTP Injection via | ||
Recipient Email Addresses." 2015. The attacks described in the paper | ||
(Terada, p. 4) can be applied to without any modification. | ||
patched_versions: | ||
- ">= 2.4.0" |