Red Hat Bugzilla – Bug 1293598
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses
Last modified: 2017-08-08 03:00:29 EDT
It was found that versions of rubygem-mail prior to 2.6.0 are vulnerable to SMTP injection via recipient email addresses. Mail module does not validate nor sanitize given recipient addresses and does not impose a length limit on email addresses. An attacker can send long spam message via recipient address unless there is a limit on the application's side. This vulnerability affects only the applications that lack input validation.
Note that, this patch might not be complete, since according to the author, the fault can also be on Net::SMTP's side.