Vulnerability Details CVE-2015-9097
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.01
EPSS Ranking 76.3%
CVSS Severity
CVSS v3 Score 6.1
CVSS v2 Score 4.3
References
- http://openwall.com/lists/oss-security/2015/12/11/3
- http://www.mbsd.jp/Whitepaper/smtpi.pdf
- https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
- https://github.com/mikel/mail/pull/1097
- https://github.com/rubysec/ruby-advisory-db/issues/215
- https://hackerone.com/reports/137631
- https://rubysec.com/advisories/mail-OSVDB-131677
- http://openwall.com/lists/oss-security/2015/12/11/3
- http://www.mbsd.jp/Whitepaper/smtpi.pdf
- https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83
- https://github.com/mikel/mail/pull/1097
- https://github.com/rubysec/ruby-advisory-db/issues/215
- https://hackerone.com/reports/137631
- https://rubysec.com/advisories/mail-OSVDB-131677
Products affected by CVE-2015-9097
-
cpe:2.3:a:mail_project:mail:2.0.3
-
cpe:2.3:a:mail_project:mail:2.0.5
-
cpe:2.3:a:mail_project:mail:2.1.1
-
cpe:2.3:a:mail_project:mail:2.1.2
-
cpe:2.3:a:mail_project:mail:2.1.3
-
cpe:2.3:a:mail_project:mail:2.1.4
-
cpe:2.3:a:mail_project:mail:2.1.5
-
cpe:2.3:a:mail_project:mail:2.1.5.1
-
cpe:2.3:a:mail_project:mail:2.1.5.2
-
cpe:2.3:a:mail_project:mail:2.1.5.3
-
cpe:2.3:a:mail_project:mail:2.2.0
-
cpe:2.3:a:mail_project:mail:2.2.1
-
cpe:2.3:a:mail_project:mail:2.2.10
-
cpe:2.3:a:mail_project:mail:2.2.11
-
cpe:2.3:a:mail_project:mail:2.2.12
-
cpe:2.3:a:mail_project:mail:2.2.13
-
cpe:2.3:a:mail_project:mail:2.2.14
-
cpe:2.3:a:mail_project:mail:2.2.15
-
cpe:2.3:a:mail_project:mail:2.2.16
-
cpe:2.3:a:mail_project:mail:2.2.17
-
cpe:2.3:a:mail_project:mail:2.2.18
-
cpe:2.3:a:mail_project:mail:2.2.19
-
cpe:2.3:a:mail_project:mail:2.2.2
-
cpe:2.3:a:mail_project:mail:2.2.20
-
cpe:2.3:a:mail_project:mail:2.2.3
-
cpe:2.3:a:mail_project:mail:2.2.4
-
cpe:2.3:a:mail_project:mail:2.2.5
-
cpe:2.3:a:mail_project:mail:2.2.5.1
-
cpe:2.3:a:mail_project:mail:2.2.5.2
-
cpe:2.3:a:mail_project:mail:2.2.6
-
cpe:2.3:a:mail_project:mail:2.2.7
-
cpe:2.3:a:mail_project:mail:2.2.8
-
cpe:2.3:a:mail_project:mail:2.2.9
-
cpe:2.3:a:mail_project:mail:2.3.0
-
cpe:2.3:a:mail_project:mail:2.3.1
-
cpe:2.3:a:mail_project:mail:2.3.2
-
cpe:2.3:a:mail_project:mail:2.3.3
-
cpe:2.3:a:mail_project:mail:2.4.0
-
cpe:2.3:a:mail_project:mail:2.4.1
-
cpe:2.3:a:mail_project:mail:2.4.2
-
cpe:2.3:a:mail_project:mail:2.4.3
-
cpe:2.3:a:mail_project:mail:2.4.4
-
cpe:2.3:a:mail_project:mail:2.5.0
-
cpe:2.3:a:mail_project:mail:2.5.1
-
cpe:2.3:a:mail_project:mail:2.5.2
-
cpe:2.3:a:mail_project:mail:2.5.3
-
cpe:2.3:a:mail_project:mail:2.5.4