CVE-2021-38189

high-risk
Published 2021-08-08

An issue was discovered in the lettre crate before 0.9.6 for Rust. In an e-mail message body, an attacker can place a . character after two <CR><LF> sequences and then inject arbitrary SMTP commands.

Do I need to act?

-
0.48% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 5e474677f9b9a7c68066fc5c9f6b6ec36f52c391
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (12)

Lettre
Lettre
Lettre
Lettre
Lettre
Lettre
Lettre
Lettre
Lettre
Lettre
Lettre
Lettre

Affected Vendors

Lettre

References (4)

Third Party Advisory https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/lettre/RUSTSEC...
Exploit https://rustsec.org/advisories/RUSTSEC-2021-0069.html
Third Party Advisory https://raw.githubusercontent.com/rustsec/advisory-db/main/crates/lettre/RUSTSEC...
Exploit https://rustsec.org/advisories/RUSTSEC-2021-0069.html
51
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 17/34 · Moderate