CVE-2021-38189

Name of the Vulnerable Software and Affected Versions: lettre versions prior to 0.9.6

Description: An issue in the lettre crate for Rust allows an attacker to inject arbitrary SMTP commands through a controlled message body by placing a . character after two sequences. The module for escaping lines starting with a period does not catch a period placed after a double CRLF sequence, enabling the attacker to end the current message and write arbitrary SMTP commands after it.

Recommendations: For versions prior to 0.9.6, update to version 0.9.6 or later to fix the issue by correctly handling consecutive CRLF sequences. As a temporary workaround, consider restricting the use of the lettre crate until a patch is applied.