CVE-2012-2140

Published: Jul 18, 2012Modified: Apr 29, 2026

7.5

Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability: 10.0 / Impact: 6.4

Source: NVD

Description

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.

Affected (3)

Products: Rubygems: Mail Gem

Rubygems

1 product

Mail Gem

Configuration A

3 vulnerable

Vulnerable Software	Affected Versions
Rubygems Mail Gem	Up to 2.4.1
Rubygems Mail Gem	Version 2.3.2
Rubygems Mail Gem	Version 2.3.3

Related CWEs

CWE-20

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

References (22)

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.html

Source: secalert@redhat.com

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.html

Source: secalert@redhat.com

http://secunia.com/advisories/48970

Source: secalert@redhat.com

Vendor Advisory

http://www.openwall.com/lists/oss-security/2012/04/25/8

Source: secalert@redhat.com

http://www.openwall.com/lists/oss-security/2012/04/26/1

Source: secalert@redhat.com

https://bugzilla.novell.com/show_bug.cgi?id=759092

Source: secalert@redhat.com

https://bugzilla.redhat.com/show_bug.cgi?id=816352

Source: secalert@redhat.com

https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc

Source: secalert@redhat.com

https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0

Source: secalert@redhat.com

ExploitPatch

https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2

Source: secalert@redhat.com

ExploitPatch

http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.html