RubySec

Providing security resources for the Ruby community

CVE-2015-9097 (mail): CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses

ADVISORIES

GEM

mail

PATCHED VERSIONS

  • >= 2.5.5

DESCRIPTION

The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.