mail 1.5.3
CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline
high severity CVE-2012-2140>= 2.4.4
The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.
Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection
high severity CVE-2011-0739>= 2.2.15
Mail Gem for Ruby contains a flaw related to the failure to properly sanitise input passed from an email from address in the 'deliver()' function in 'lib/mail/network/delivery_methods/sendmail.rb' before being used as a command line argument. This may allow a remote attacker to inject arbitrary shell commands.
CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses
medium severity CVE-2015-9097>= 2.5.5
The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.
CVE-2012-2139 rubygem-mail: directory traversal
medium severity CVE-2012-2139>= 2.4.4
Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.