CVE-2015-9097

Metadata

medium
4.3
ruby-mail
CVE-2015-9097
cve.mitre.org, openwall.com, mbsd.jp, github.com, github.com, hackerone.com, rubysec.com
2017-06-12
2017-10-23 14:37
CVE-2015-9097 ruby-mail
SMTP command injection
2017-07-05 19:37
2017-06-16 19:23
2017-06-15 02:36

Description

The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

Am I vulnerable?

The constraints below list the versions that this vulnerability is patched in, and versions that are unaffected. If a patch is ready but unrealeased, then it is pending.

Or, you can just let us figure it out for you! Appcanary continously monitor your installed packages, and tell you if any of them are vulnerable.

Sign up for monitoring

Affected package information

Release Package Patched in
trusty ruby-mail None

Unaffected

Release Package Reason
precise/esm ruby-mail DNE
vivid/stable-phone-overlay ruby-mail DNE
vivid/ubuntu-core ruby-mail DNE
xenial ruby-mail not-affected
yakkety ruby-mail not-affected
zesty ruby-mail not-affected
artful ruby-mail not-affected
devel ruby-mail not-affected

Needs Triage

Release Package Reason
upstream ruby-mail needs-triage