CVE-2015-9096 - Vulnerability Details - OpenCVE

Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.01592.

Key SSVC decision points have not yet been added.

Vendors	Products
Ruby-lang	Ruby

Configuration 1 [-]

cpe:2.3:a:ruby-lang:ruby:*:rc1:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
Debian DLA	DLA-1421-1	ruby2.1 security update
Debian DSA	DSA-3966-1	ruby2.3 security update
EUVD	EUVD-2015-8950	Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
Ubuntu USN	USN-3365-1	Ruby vulnerabilities

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
http://www.mbsd.jp/Whitepaper/smtpi.pdf
https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee
https://github.com/rubysec/ruby-advisory-db/issues/215
https://hackerone.com/reports/137631
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://nvd.nist.gov/vuln/detail/CVE-2015-9096
https://www.cve.org/CVERecord?id=CVE-2015-9096
https://www.debian.org/security/2017/dsa-3966

History

Sat, 12 Jul 2025 13:45:00 +0000

Type	Values Removed	Values Added
Metrics	epss `{'score': 0.00446}`	epss `{'score': 0.01297}`

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-06-12T20:00:00

Updated: 2024-08-06T08:36:31.894Z

Reserved: 2017-06-12T00:00:00

Link: CVE-2015-9096

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2017-06-12T20:29:00.190

Modified: 2025-04-20T01:37:25.860

Link: CVE-2015-9096

Redhat

Severity : Low

Publid Date: 2017-06-12T00:00:00Z

Links: CVE-2015-9096 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2017-06-12T00:00:00", "descriptions": [{"lang": "en", "value": "Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-07-14T09:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"name": "DSA-3966", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2017/dsa-3966"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/137631"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/rubysec/ruby-advisory-db/issues/215"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee"}, {"tags": ["x_refsource_MISC"], "url": "http://www.mbsd.jp/Whitepaper/smtpi.pdf"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2015-9096", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-3966", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2017/dsa-3966"}, {"name": "https://hackerone.com/reports/137631", "refsource": "MISC", "url": "https://hackerone.com/reports/137631"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"name": "https://github.com/rubysec/ruby-advisory-db/issues/215", "refsource": "MISC", "url": "https://github.com/rubysec/ruby-advisory-db/issues/215"}, {"name": "https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee", "refsource": "MISC", "url": "https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee"}, {"name": "http://www.mbsd.jp/Whitepaper/smtpi.pdf", "refsource": "MISC", "url": "http://www.mbsd.jp/Whitepaper/smtpi.pdf"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T08:36:31.894Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-3966", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2017/dsa-3966"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/137631"}, {"name": "[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/rubysec/ruby-advisory-db/issues/215"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://www.mbsd.jp/Whitepaper/smtpi.pdf"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2015-9096", "datePublished": "2017-06-12T20:00:00", "dateReserved": "2017-06-12T00:00:00", "dateUpdated": "2024-08-06T08:36:31.894Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:*:rc1:*:*:*:*:*:*", "matchCriteriaId": "70BED4E2-17E3-4B9D-8C58-ECBE978E90F3", "versionEndIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring."}, {"lang": "es", "value": "El modulo Net::SMTP de Ruby anterior a su versi\u00f3n 2.4.0 es vulnerable a la inyecci\u00f3n de comandos SMTP mediante secuencias CRLF de los comandos \"RCPT TO\" o \"MAIL FROM\", como demuestra las secuencias CRLF inmediatamente antes y despu\u00e9s de la substring DATA."}], "id": "CVE-2015-9096", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-06-12T20:29:00.190", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.mbsd.jp/Whitepaper/smtpi.pdf"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/issues/215"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/137631"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2017/dsa-3966"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "http://www.mbsd.jp/Whitepaper/smtpi.pdf"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/ruby/ruby/commit/0827a7e52ba3d957a634b063bf5a391239b9ffee"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/issues/215"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/137631"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2017/dsa-3966"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ruby: SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands in Net::SMTP", "id": "1461846", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1461846"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "draft"}, "cwe": "CWE-88", "details": ["Net::SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.", "A SMTP command injection flaw was found in the way Ruby's Net::SMTP module handled CRLF sequences in certain SMTP commands. An attacker could potentially use this flaw to inject SMTP commands in a SMTP session in order to facilitate phishing attacks or spam campaigns."], "name": "CVE-2015-9096", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "rh-ruby22-ruby", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "ruby-200-ruby", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Will not fix", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Will not fix", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "rh-ruby22-ruby", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Will not fix", "package_name": "rh-ruby23-ruby", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:2", "fix_state": "Not affected", "package_name": "rh-ruby24-ruby", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-ruby", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2017-06-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2015-9096\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-9096"], "threat_severity": "Low"}