Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2011-0739
Vulnerability from gsd - Updated: 2011-01-25 00:00Details
Mail Gem for Ruby contains a flaw related to the failure to properly sanitise
input passed from an email from address in the 'deliver()' function in
'lib/mail/network/delivery_methods/sendmail.rb' before being used as a
command line argument. This may allow a remote attacker to inject arbitrary
shell commands.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2011-0739",
"description": "The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address.",
"id": "GSD-2011-0739",
"references": [
"https://www.suse.com/security/cve/CVE-2011-0739.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "mail",
"purl": "pkg:gem/mail"
}
}
],
"aliases": [
"CVE-2011-0739",
"OSVDB-70667"
],
"details": "Mail Gem for Ruby contains a flaw related to the failure to properly sanitise\ninput passed from an email from address in the \u0027deliver()\u0027 function in\n\u0027lib/mail/network/delivery_methods/sendmail.rb\u0027 before being used as a\ncommand line argument. This may allow a remote attacker to inject arbitrary\nshell commands.\n",
"id": "GSD-2011-0739",
"modified": "2011-01-25T00:00:00.000Z",
"published": "2011-01-25T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0739"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.8,
"type": "CVSS_V2"
}
],
"summary": "Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection\n"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-0739",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "ADV-2011-0233",
"refsource": "VUPEN",
"url": "http://www.vupen.com/english/advisories/2011/0233"
},
{
"name": "http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1",
"refsource": "CONFIRM",
"url": "http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1"
},
{
"name": "ruby-mail-deliver-command-execution(65010)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65010"
},
{
"name": "46021",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/46021"
},
{
"name": "https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch",
"refsource": "MISC",
"url": "https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch"
},
{
"name": "43077",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/43077"
},
{
"name": "70667",
"refsource": "OSVDB",
"url": "http://osvdb.org/70667"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2011-0739",
"cvss_v2": 6.8,
"date": "2011-01-25",
"description": "Mail Gem for Ruby contains a flaw related to the failure to properly sanitise\ninput passed from an email from address in the \u0027deliver()\u0027 function in\n\u0027lib/mail/network/delivery_methods/sendmail.rb\u0027 before being used as a\ncommand line argument. This may allow a remote attacker to inject arbitrary\nshell commands.\n",
"gem": "mail",
"osvdb": 70667,
"patched_versions": [
"\u003e= 2.2.15"
],
"title": "Mail Gem for Ruby lib/mail/network/delivery_methods/sendmail.rb Email From: Address Arbitrary Shell Command Injection\n",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2011-0739"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=2.2.14",
"affected_versions": "All versions up to 2.2.14",
"cvss_v2": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-20",
"CWE-937"
],
"date": "2017-08-17",
"description": "The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address.",
"fixed_versions": [
"2.2.15"
],
"identifier": "CVE-2011-0739",
"identifiers": [
"CVE-2011-0739"
],
"not_impacted": "All versions after 2.2.14",
"package_slug": "gem/mail",
"pubdate": "2011-02-02",
"solution": "Upgrade to version 2.2.15 or above.",
"title": "Improper Input Validation",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2011-0739"
],
"uuid": "454eaf14-d475-4ae9-9f13-4a09d5f85009"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.2.14",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:mikel_lindsaar:mail:1.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-0739"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The deliver function in the sendmail delivery agent (lib/mail/network/delivery_methods/sendmail.rb) in Ruby Mail gem 2.2.14 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an e-mail address."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-20"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1",
"refsource": "CONFIRM",
"tags": [
"Patch"
],
"url": "http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?pli=1"
},
{
"name": "70667",
"refsource": "OSVDB",
"tags": [],
"url": "http://osvdb.org/70667"
},
{
"name": "ADV-2011-0233",
"refsource": "VUPEN",
"tags": [
"Vendor Advisory"
],
"url": "http://www.vupen.com/english/advisories/2011/0233"
},
{
"name": "https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch",
"refsource": "MISC",
"tags": [
"Patch"
],
"url": "https://github.com/mikel/mail/raw/master/patches/20110126_sendmail.patch"
},
{
"name": "46021",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/46021"
},
{
"name": "43077",
"refsource": "SECUNIA",
"tags": [
"Vendor Advisory"
],
"url": "http://secunia.com/advisories/43077"
},
{
"name": "ruby-mail-deliver-command-execution(65010)",
"refsource": "XF",
"tags": [],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/65010"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2017-08-17T01:33Z",
"publishedDate": "2011-02-02T01:00Z"
}
}
}