mail 2.1.5.2

4 security vulnerabilities found in version 2.1.5.2

CVE-2012-2140 rubygem-mail: arbitrary command execution when using exim or sendmail from commandline

high severity CVE-2012-2140
high severity CVE-2012-2140
Patched versions: >= 2.4.4

The Mail gem before 2.4.3 for Ruby allows remote attackers to execute arbitrary commands via shell metacharacters in a (1) sendmail or (2) exim delivery.

Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection

high severity CVE-2011-0739
high severity CVE-2011-0739
Patched versions: >= 2.2.15

Mail Gem for Ruby contains a flaw related to the failure to properly sanitise input passed from an email from address in the 'deliver()' function in 'lib/mail/network/delivery_methods/sendmail.rb' before being used as a command line argument. This may allow a remote attacker to inject arbitrary shell commands.

CVE-2015-9097 rubygem-mail: SMTP injection via recipient email addresses

medium severity CVE-2015-9097
medium severity CVE-2015-9097
Patched versions: >= 2.5.5

The mail gem before 2.5.5 for Ruby (aka A Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in a RCPT TO or MAIL FROM command, as demonstrated by CRLF sequences immediately before and after a DATA substring.

CVE-2012-2139 rubygem-mail: directory traversal

medium severity CVE-2012-2139
medium severity CVE-2012-2139
Patched versions: >= 2.4.4

Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

Author did not declare license for this gem in the gemspec.


This gem version has a MIT license in the source code, however it was not declared in the gemspec file.

This gem version is available.


This gem version has not been yanked and is still available for usage.