NVD Vulnerability Detail

CVE-2015-9096

Summary	Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Publication Date	June 13, 2017, 5:29 a.m.
Registration Date	Jan. 26, 2021, 2:59 p.m.
Last Update	Nov. 21, 2024, 11:39 a.m.

Affected software configurations

Configuration1		or higher	or less	more than	less than
cpe:2.3:a:ruby-lang:ruby::rc1::::::*			2.4.0

Related information, measures and tools

No	URL	タグ
1	http://www.mbsd.jp/Whitepaper/smtpi.pdf	Exploit Third Party Advisory
2	http://www.mbsd.jp/Whitepaper/smtpi.pdf	Exploit Third Party Advisory
3	https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee	Patch Third Party Advisory
4	https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee	Patch Third Party Advisory
5	https://github.com/rubysec/ruby-advisory-db/issues/215	Issue Tracking Third Party Advisory
6	https://github.com/rubysec/ruby-advisory-db/issues/215	Issue Tracking Third Party Advisory
7	https://hackerone.com/reports/137631	Third Party Advisory
8	https://hackerone.com/reports/137631	Third Party Advisory
9	https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
10	https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
11	https://www.debian.org/security/2017/dsa-3966
12	https://www.debian.org/security/2017/dsa-3966

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-93	CRLF インジェクション	https://cwe.mitre.org/data/definitions/93.html

JVN Vulnerability Information

Ruby の Net::SMTP における SMTP コマンドインジェクションの脆弱性

Title	Ruby の Net::SMTP における SMTP コマンドインジェクションの脆弱性
Summary	Ruby の Net::SMTP には、SMTP コマンドインジェクションの脆弱性が存在します。
Possible impacts	RCPT TO または MAIL FROM コマンドの CRLF シーケンスを介して、SMTP コマンドインジェクション攻撃を実行される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Dec. 11, 2015, midnight
Registration Date	July 18, 2017, 6:03 p.m.
Last Update	July 18, 2017, 6:03 p.m.

Affected System

Ruby-lang.org

Ruby 2.4.0 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2015-9096	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9096
National Vulnerability Database (NVD)
2	CVE-2015-9096	https://nvd.nist.gov/vuln/detail/CVE-2015-9096

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-93	https://cwe.mitre.org/data/definitions/93.html

ベンダー情報

No	Name	URL
GitHub
1	* lib/net/smtp.rb (getok, get_response): raise an ArgumentError when CR or LF is included in a line	https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee
2	Add advisory for SMTP injection vulnerability in mail <2.6.0 #215	https://github.com/rubysec/ruby-advisory-db/issues/215

Change Log

No	Changed Details	Date of change
0	[2017年07月18日] 掲載	Feb. 17, 2018, 10:37 a.m.