CVE-2015-9097 — CRLF Injection in Mail

CWE-93 — CRLF Injection CWE-88 — Argument Injection8 documents7 sources

Severity

6.1MEDIUMNVD

EPSS

1.0%

top 22.73%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Mail Mail Project Mail

Timeline

PublishedJun 12

Latest updateOct 24

Description

The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.7

Affected Packages2 packages

▶RubyGemsnextcloud/mail< 2.5.5

▶NVDmail_project/mail2.5.4

🔴Vulnerability Details

GHSA

Mail Gem CRLF Injection vulnerability↗2017-10-24

▶

OSV

Mail Gem CRLF Injection vulnerability↗2017-10-24

▶

OSV

CVE-2015-9097: The mail gem before 2↗2017-06-12

▶

CVEList

CVE-2015-9097: The mail gem before 2↗2017-06-12

▶

📋Vendor Advisories

Red Hat

rubygem-mail: SMTP injection via recipient email addresses↗2015-12-11

▶

Debian

CVE-2015-9097: ruby-mail - The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerabl...↗2015

▶

💬Community

Bugzilla

CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses↗2015-12-22

▶