CVE-2020-28247: Argument injection in lettre
Affected versions of lettre allowed argument injection to the sendmail command. It was possible, using forged to addresses, to pass arbitrary arguments to the sendmail executable.
Depending on the implementation (original sendmail, postfix, exim, etc.) it could be possible in some cases to write email data into abritrary files (using sendmail’s logging features).
NOTE: This vulnerability only affects the sendmail transport. Others, including smtp, are not affected.
References
- github.com/RustSec/advisory-db/pull/478/files
- github.com/advisories/GHSA-vc2p-r46x-m3vx
- github.com/lettre/lettre
- github.com/lettre/lettre/pull/508/commits/bbe7cc5381c5380b54fb8bbb4f77a3725917ff0b
- github.com/lettre/lettre/security/advisories/GHSA-vc2p-r46x-m3vx
- nvd.nist.gov/vuln/detail/CVE-2020-28247
- rustsec.org/advisories/RUSTSEC-2020-0069.html
Code Behaviors & Features
Detect and mitigate CVE-2020-28247 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →