Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/mail@2.4.4

Type gem

Namespace

Name mail

Version 2.4.4

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.5.5.rc1

Latest_non_vulnerable_version 2.7.0.rc1

Affected_by_vulnerabilities

url VCID-pgqp-64zv-8fc3

vulnerability_id VCID-pgqp-64zv-8fc3

summary

SMTP Injection via to/from addresses
The mail package does not disallow CRLF in email addresses; an attacker can inject SMTP commands in specially crafted email addresses passed to `RCPT TO` and `MAIL FROM`.

references

reference_url

http://openwall.com/lists/oss-security/2015/12/11/3

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2015/12/11/3

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2015-9097

reference_id

reference_type

scores

value	0.01021
scoring_system	epss
scoring_elements	0.77536
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2015-9097

reference_url

https://github.com/mikel/mail

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/mikel/mail

reference_url

https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/mikel/mail/commit/72befdc4dab3e6e288ce226a7da2aa474cf5be83

reference_url

https://github.com/mikel/mail/pull/1097

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/mikel/mail/pull/1097

reference_url

https://github.com/rubysec/ruby-advisory-db/issues/215

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/issues/215

reference_url

https://hackerone.com/reports/137631

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/137631

reference_url

https://rubysec.com/advisories/mail-OSVDB-131677

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rubysec.com/advisories/mail-OSVDB-131677

reference_url

http://www.mbsd.jp/Whitepaper/smtpi.pdf

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.mbsd.jp/Whitepaper/smtpi.pdf

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2015-9097

reference_id

CVE-2015-9097

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2015-9097

reference_url

https://github.com/advisories/GHSA-q86f-fmqf-qrf6

reference_id

GHSA-q86f-fmqf-qrf6

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-q86f-fmqf-qrf6

fixed_packages

url	pkg:gem/mail@2.5.5.rc1
purl	pkg:gem/mail@2.5.5.rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/mail@2.5.5.rc1

url	pkg:gem/mail@2.5.5
purl	pkg:gem/mail@2.5.5
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/mail@2.5.5

url	pkg:gem/mail@2.6.6.rc1
purl	pkg:gem/mail@2.6.6.rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/mail@2.6.6.rc1

url	pkg:gem/mail@2.7.0.rc1
purl	pkg:gem/mail@2.7.0.rc1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:gem/mail@2.7.0.rc1

aliases CVE-2015-9097, GHSA-q86f-fmqf-qrf6, OSV-131677

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pgqp-64zv-8fc3

Fixing_vulnerabilities

url VCID-q6zt-ft1w-8ka1

vulnerability_id VCID-q6zt-ft1w-8ka1

summary

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.

references

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.html

reference_id

reference_type

scores