Net::SMTP is vulnerable to RCPT TO/MAIL FROM injection due to lack of input validation and conformance to the SMTP protocol.
Publicly disclosed already: http://www.mbsd.jp/Whitepaper/smtpi.pdf
People are wrongly assigning this to the mail gem (http://rubysec.com/advisories/OSVDB-131677/) and thinking it's fixed, when in fact the underlying vuln remains in Net::SMTP.
Discussed as an issue with the
The mail gem should do input validation too, of course. But its responsibility is creating internet messages, and it would validate addresses against that spec. Its responsibility is not SMTP protocol compliance. Net::SMTP is.
Addressing this in Ruby in a timely manner will help resolve the considerable confusion that's emerged due to the lack of response to a publicly disclosed vulnerability.