RubySec

Providing security resources for the Ruby community

CVE-2012-2139 (mail): Mail Gem for Ruby File Delivery Method to Parameter Traversal Arbitrary File Manipulation

ADVISORIES

GEM

mail

SEVERITY

CVSS v2: 5.0

PATCHED VERSIONS

  • >= 2.4.4

DESCRIPTION

Mail Gem for Ruby contains a flaw that allows a remote attacker to traverse outside of a restricted path. The issue is due to the program not properly sanitizing user input, specifically directory traversal style attacks (e.g., ../../) supplied via the ‘to’ parameter within the delivery method. This directory traversal attack would allow the attacker to modify arbitrary files.