CVE-2012-2140 — Improper Input Validation in Mail

CWE-20 — Improper Input Validation CWE-78 — OS Command Injection9 documents7 sources

Severity

7.5HIGHNVD

EPSS

3.7%

top 12.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Nextcloud Mail Rubygems Mail GEM

Timeline

PublishedJul 18

Latest updateOct 24

Description

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages2 packages

▶NVDrubygems/mail_gem2.4.1+2

▶RubyGemsnextcloud/mail< 2.4.3

Patches

Patch: github.com ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

OSV

Mail Gem Improper Input Validation vulnerability↗2017-10-24

▶

GHSA

Mail Gem Improper Input Validation vulnerability↗2017-10-24

▶

CVEList

CVE-2012-2140: The Mail gem before 2↗2012-07-18

▶

OSV

CVE-2012-2140: The Mail gem before 2↗2012-07-18

▶

📋Vendor Advisories

Red Hat

rubygem-mail: arbitrary command execution when using exim or sendmail from commandline↗2012-03-14

▶

Debian

CVE-2012-2140: ruby-mail - The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary ...↗2012

▶

💬Community

Bugzilla

CVE-2012-2139 rubygem-mail: directory traversal↗2013-01-03

▶

Bugzilla

CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline↗2012-04-25

▶