Sha256: 3ab9ab69c118e5f020a21d14aad4445345f6ab7f02ac8f02d8e5e007c25080c7

Contents?: true

Size: 677 Bytes

Versions: 3

Compression:

Stored size: 677 Bytes

Contents

---
engine: ruby
cve: 2015-9096
url: https://hackerone.com/reports/137631
title: SMTP command injection
date: 2015-12-09
description: |
  Net::SMTP is vulnerable to SMTP command injection via CRLF sequences
  in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences
  immediately before and after a DATA substring.

  Applications that validate email address format are not affected by this
  vulnerability.

  The injection attack is described in Terada, Takeshi. "SMTP Injection via
  Recipient Email Addresses." 2015. The attacks described in the paper
  (Terada, p. 4) can be applied to without any modification.
patched_versions:
  - ">= 2.4.0"
  - "~> 2.3.5"

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml
bundler-budit-0.6.2 data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml
bundler-budit-0.6.1 data/ruby-advisory-db/rubies/ruby/CVE-2015-9096.yml