CVE-2012-2139
published 2012-07-18CVE-2012-2139: Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read…
PriorityP434medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
4.92%
91.0th percentile
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-mail | < ruby-mail 2.4.4-1 (bookworm) | ruby-mail 2.4.4-1 (bookworm) |
| nextcloud | >= 0 < 2.4.4 | 2.4.4 | |
| rubygems | mail_gem | <= 2.4.3 | — |
| rubygems | mail_gem | — | — |
| rubygems | mail_gem | — | — |
| rubygems | mail_gem | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mail Gem Path Traversal vulnerability
osv·2017-10-24
CVE-2012-2139 [MEDIUM] Mail Gem Path Traversal vulnerability
Mail Gem Path Traversal vulnerability
Directory traversal vulnerability in `lib/mail/network/delivery_methods/file_delivery.rb` in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a `..` (dot dot) in the to parameter.
GHSA
Mail Gem Path Traversal vulnerability
ghsa·2017-10-24
CVE-2012-2139 [MEDIUM] CWE-22 Mail Gem Path Traversal vulnerability
Mail Gem Path Traversal vulnerability
Directory traversal vulnerability in `lib/mail/network/delivery_methods/file_delivery.rb` in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a `..` (dot dot) in the to parameter.
OSV
CVE-2012-2139: Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery
osv·2012-07-18·CVSS 5.0
CVE-2012-2139 [MEDIUM] CVE-2012-2139: Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
Red Hat
rubygem-mail: directory traversal
vendor_redhat·2012-03-14·CVSS 5.0
CVE-2012-2139 [MEDIUM] rubygem-mail: directory traversal
rubygem-mail: directory traversal
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
Package: rubygem-mail (Red Hat Subscription Asset Manager) - Affected
Debian
CVE-2012-2139: ruby-mail - Directory traversal vulnerability in lib/mail/network/delivery_methods/file_deli...
vendor_debian·2012·CVSS 5.0
CVE-2012-2139 [MEDIUM] CVE-2012-2139: ruby-mail - Directory traversal vulnerability in lib/mail/network/delivery_methods/file_deli...
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
Scope: local
bookworm: resolved (fixed in 2.4.4-1)
bullseye: resolved (fixed in 2.4.4-1)
forky: resolved (fixed in 2.4.4-1)
sid: resolved (fixed in 2.4.4-1)
trixie: resolved (fixed in 2.4.4-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-2139 rubygem-mail: directory traversal
bugzilla·2013-01-03·CVSS 5.0
CVE-2012-2139 [MEDIUM] CVE-2012-2139 rubygem-mail: directory traversal
CVE-2012-2139 rubygem-mail: directory traversal
A flaw was corrected in rubygem-mail version 2.4.4:
A file system traversal in file_delivery method [1].
[1] https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f
Discussion:
This was previously tracked via bug 816352 along with CVE-2012-2140. The bug was split as explained in bug 816352, comment 13.
Bugzilla
CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline
bugzilla·2012-04-25·CVSS 5.0
CVE-2012-2140 [MEDIUM] CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline
CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline
Two flaws were corrected in rubygem-mail version 2.4.4:
A file system traversal in file_delivery method [1].
Arbitrary command execution when using exim or sendmail from the commandline [2],[3].
[1] https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f
[2] https://github.com/mikel/mail/commit/36b7fa23d38cb59dd79b7efa258ef0e7ddab5a11
[3] https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2
Discussion:
Created rubygem-mail tracking bugs for this issue
Affects: fedora-all [bug 816355]
---
Assigned CVE as per http://www.openwall.com/lists/oss-security/2012/04/26/1
---
rubygem-mail-2.4.4-1.fc15, rubygem-actionmailer-3.0.5-3.fc15 has bee
http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.htmlhttp://secunia.com/advisories/48970http://www.openwall.com/lists/oss-security/2012/04/25/8http://www.openwall.com/lists/oss-security/2012/04/26/1https://bugzilla.novell.com/show_bug.cgi?id=759092https://bugzilla.redhat.com/show_bug.cgi?id=816352https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98fhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.htmlhttp://secunia.com/advisories/48970http://www.openwall.com/lists/oss-security/2012/04/25/8http://www.openwall.com/lists/oss-security/2012/04/26/1https://bugzilla.novell.com/show_bug.cgi?id=759092https://bugzilla.redhat.com/show_bug.cgi?id=816352https://github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98f
2012-07-18
Published