Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2012-2140
Vulnerability from gsd - Updated: 2012-03-14 00:00Details
The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-2140",
"description": "The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.",
"id": "GSD-2012-2140",
"references": [
"https://www.suse.com/security/cve/CVE-2012-2140.html",
"https://access.redhat.com/errata/RHSA-2012:1542"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "mail",
"purl": "pkg:gem/mail"
}
}
],
"aliases": [
"CVE-2012-2140",
"OSVDB-81632"
],
"details": "The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.",
"id": "GSD-2012-2140",
"modified": "2012-03-14T00:00:00.000Z",
"published": "2012-03-14T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2140"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V2"
}
],
"summary": "CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2140",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=816352",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=816352"
},
{
"name": "FEDORA-2012-7535",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.html"
},
{
"name": "https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2",
"refsource": "CONFIRM",
"url": "https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2"
},
{
"name": "[oss-security] 20120425 CVE request: two flaws fixed in rubygem-mail 2.4.4",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/04/25/8"
},
{
"name": "FEDORA-2012-7692",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.html"
},
{
"name": "https://bugzilla.novell.com/show_bug.cgi?id=759092",
"refsource": "MISC",
"url": "https://bugzilla.novell.com/show_bug.cgi?id=759092"
},
{
"name": "48970",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/48970"
},
{
"name": "https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0",
"refsource": "CONFIRM",
"url": "https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0"
},
{
"name": "https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc",
"refsource": "CONFIRM",
"url": "https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc"
},
{
"name": "FEDORA-2012-7619",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.html"
},
{
"name": "[oss-security] 20120425 Re: CVE request: two flaws fixed in rubygem-mail 2.4.4",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2012/04/26/1"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2012-2140",
"cvss_v2": 7.5,
"date": "2012-03-14",
"description": "The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.",
"gem": "mail",
"osvdb": 81632,
"patched_versions": [
"\u003e= 2.4.4"
],
"title": "CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-2140"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.3.2 \u003c=2.4.1",
"affected_versions": "All versions starting from 2.3.2 up to 2.4.1",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2012-10-30",
"description": "The Mail gem for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.",
"fixed_versions": [
"2.4.3"
],
"identifier": "CVE-2012-2140",
"identifiers": [
"CVE-2012-2140"
],
"not_impacted": "All versions before 2.3.2, all versions after 2.4.1",
"package_slug": "gem/mail",
"pubdate": "2012-07-18",
"solution": "Upgrade to version 2.4.3 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2012-2140",
"http://www.openwall.com/lists/oss-security/2012/04/25/8",
"https://bugzilla.novell.com/show_bug.cgi?id=759092",
"https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2",
"https://bugzilla.redhat.com/show_bug.cgi?id=816352",
"https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0",
"http://secunia.com/advisories/48970",
"http://www.openwall.com/lists/oss-security/2012/04/26/1",
"https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc",
"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.html",
"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.html",
"http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.html"
],
"uuid": "68ad1792-2052-4483-b452-6167e32d209a"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubygems:mail_gem:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.4.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:mail_gem:2.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubygems:mail_gem:2.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-2140"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20120425 CVE request: two flaws fixed in rubygem-mail 2.4.4",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2012/04/25/8"
},
{
"name": "https://bugzilla.novell.com/show_bug.cgi?id=759092",
"refsource": "MISC",
"tags": [],
"url": "https://bugzilla.novell.com/show_bug.cgi?id=759092"
},
{
"name": "https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2"
},
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=816352",
"refsource": "MISC",
"tags": [],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=816352"
},
{
"name": "https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch"
],
"url": "https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0"
},
{
"name": "48970",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/48970"
},
{
"name": "[oss-security] 20120425 Re: CVE request: two flaws fixed in rubygem-mail 2.4.4",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2012/04/26/1"
},
{
"name": "https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc",
"refsource": "CONFIRM",
"tags": [],
"url": "https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc"
},
{
"name": "FEDORA-2012-7619",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.html"
},
{
"name": "FEDORA-2012-7692",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.html"
},
{
"name": "FEDORA-2012-7535",
"refsource": "FEDORA",
"tags": [],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2012-10-30T04:03Z",
"publishedDate": "2012-07-18T18:55Z"
}
}
}