RubySec

Providing security resources for the Ruby community

CVE-2012-2140 (mail): CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline

ADVISORIES

GEM

mail

SEVERITY

CVSS v2: 7.5 (High)

PATCHED VERSIONS

  • >= 2.4.4

DESCRIPTION

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.