RubySec

Providing security resources for the Ruby community

CVE-2011-0739 (mail): Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection

ADVISORIES

GEM

mail

SEVERITY

CVSS v2: 6.8 (Medium)

PATCHED VERSIONS

  • >= 2.2.15

DESCRIPTION

Mail Gem for Ruby contains a flaw related to the failure to properly sanitise input passed from an email from address in the ‘deliver()’ function in ‘lib/mail/network/delivery_methods/sendmail.rb’ before being used as a command line argument. This may allow a remote attacker to inject arbitrary shell commands.