CVE-2020-28247

Name of the Vulnerable Software and Affected Versions lettre library versions through 0.10.0-alpha

Description The issue allows arbitrary sendmail option injection via transport/sendmail/mod.rs. Affected versions of lettre allowed argument injection to the sendmail command, making it possible to pass arbitrary arguments to the sendmail executable using forged to addresses. Depending on the implementation, it could be possible to write email data into arbitrary files using sendmail's logging features. The flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses. This issue only affects the sendmail transport, with others like smtp not being affected.

Recommendations For versions through 0.10.0-alpha, the flaw is corrected by modifying the executed command to stop parsing arguments before passing the destination addresses. As a temporary workaround, consider disabling the sendmail transport until a patch is available. Restrict access to the transport/sendmail/mod.rs module to minimize the risk of exploitation. Avoid using the to address parameter in the affected sendmail transport until the issue is resolved.