CVE-2012-2140: Mail Gem Improper Input Validation vulnerability
7.5
CVSS Score
Basic Information
CVE ID
GHSA ID
EPSS Score
0.87374%
CWE
Published
10/24/2017
Updated
9/5/2023
KEV Status
No
Technology
Ruby
Technical Details
CVSS Vector
AV:N/AC:L/Au:N/C:P/I:P/A:P
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
rubygems | < 2.4.3 | 2.4.3 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The GitHub patch shows a critical change in sendmail.rb where shellescape
was replaced with escape_for_shell
in the command string construction. The CVE description explicitly cites sendmail/exim delivery methods, and the commit message confirms the fix was to properly escape destinations. While exim's implementation might have similar issues, the provided evidence only directly shows the sendmail delivery method's vulnerability. The use of shellescape
(which is Ruby's built-in method) was insufficient for this context, leading to command injection.