Vulnerability Name:

CVE-2012-2140 (CCN-75166)

Assigned:2012-03-14
Published:2012-03-14
Updated:2012-10-30
Summary:The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
CVSS v3 Severity:7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2012-2140

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-7692

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-7535

Source: FEDORA
Type: UNKNOWN
FEDORA-2012-7619

Source: CCN
Type: RHSA-2012-1542
Moderate: CloudForms Commons 1.1 security update

Source: CCN
Type: RubyForge Web site
RubyGems

Source: CCN
Type: SA48970
Ruby Mail Gem Directory Traversal and Shell Command Injection Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
48970

Source: MLIST
Type: UNKNOWN
[oss-security] 20120425 CVE request: two flaws fixed in rubygem-mail 2.4.4

Source: MLIST
Type: UNKNOWN
[oss-security] 20120425 Re: CVE request: two flaws fixed in rubygem-mail 2.4.4

Source: CCN
Type: OSVDB ID: 81632
Mail Gem for Ruby Multiple Delivery Method Remote Shell Command Execution

Source: CCN
Type: BID-53257
RubyGems mail Directory Traversal and Command Injection Vulnerabilities

Source: MISC
Type: UNKNOWN
https://bugzilla.novell.com/show_bug.cgi?id=759092

Source: MISC
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=816352

Source: XF
Type: UNKNOWN
rubygems-unspec-command-exec(75166)

Source: CONFIRM
Type: UNKNOWN
https://github.com/mikel/mail/blob/9beb079c70d236a5ad2e1ba95b2c977e55deb7af/CHANGELOG.rdoc

Source: CCN
Type: github: mail
mail / CHANGELOG.rdoc

Source: CONFIRM
Type: Exploit, Patch
https://github.com/mikel/mail/commit/39b590ddb08f90ddbe445837359a2c8843e533d0

Source: CONFIRM
Type: Exploit, Patch
https://github.com/mikel/mail/commit/ac56f03bdfc30b379aeecd4ff317d08fdaa328c2

Vulnerable Configuration:Configuration 1:
  • cpe:/a:rubygems:mail_gem:2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:rubygems:mail_gem:2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:rubygems:mail_gem:*:*:*:*:*:*:*:* (Version <= 2.4.1)

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:26221
    P
    Security update for python-numpy (Moderate) (in QA)
    2022-01-17
    oval:org.opensuse.security:def:26220
    P
    Security update for MozillaFirefox (Important) (in QA)
    2022-01-14
    oval:org.opensuse.security:def:20122140
    V
    CVE-2012-2140
    2021-08-15
    oval:org.opensuse.security:def:26996
    P
    nfs-client on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26562
    P
    gtk2 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26899
    P
    fuse on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26296
    P
    Security update for ImageMagick (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27634
    P
    Security update for libgcrypt
    2020-12-01
    oval:org.opensuse.security:def:26646
    P
    unzip on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26938
    P
    libQtWebKit4-32bit on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26424
    P
    Security update for enigmail (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:27669
    P
    Security update for rubygem-mail-2_3
    2020-12-01
    oval:org.opensuse.security:def:26797
    P
    pam_krb5 on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26952
    P
    libgtop on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26505
    P
    Security update for phpMyAdmin (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26850
    P
    LibVNCServer on GA media (Moderate)
    2020-12-01
    oval:org.opensuse.security:def:26232
    P
    Security update for openconnect (Moderate)
    2020-12-01
    BACK
    rubygems mail gem 2.3.2
    rubygems mail gem 2.3.3
    rubygems mail gem *