Moderate severityNVD Advisory· Published Jul 18, 2012· Updated Apr 29, 2026

CVE-2012-2139

Description

Directory traversal vulnerability in lib/mail/network/delivery_methods/file_delivery.rb in the Mail gem before 2.4.4 for Ruby allows remote attackers to read arbitrary files via a .. (dot dot) in the to parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
mailRubyGems	< 2.4.4	2.4.4

Affected products

RubyGems/Mail Gem4 versions
cpe:2.3:a:rubygems:mail_gem:*:*:*:*:*:*:*:*+ 3 more
- cpe:2.3:a:rubygems:mail_gem:*:*:*:*:*:*:*:*range: <=2.4.3
- cpe:2.3:a:rubygems:mail_gem:2.3.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:mail_gem:2.3.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubygems:mail_gem:2.4.1:*:*:*:*:*:*:*

Patches

29aca25218e4

https://github.com/mikel/mailvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/mikel/mail/commit/29aca25218e4c82991400eb9b0c933626aefc98fnvdExploitPatchWEB
secunia.com/advisories/48970nvdVendor Advisory
github.com/advisories/GHSA-cj92-c4fj-w9c5ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2012-2139ghsaADVISORY
lists.fedoraproject.org/pipermail/package-announce/2012-May/080645.htmlnvdWEB
lists.fedoraproject.org/pipermail/package-announce/2012-May/080648.htmlnvdWEB
lists.fedoraproject.org/pipermail/package-announce/2012-May/080747.htmlnvdWEB
www.openwall.com/lists/oss-security/2012/04/25/8nvdWEB
www.openwall.com/lists/oss-security/2012/04/26/1nvdWEB
bugzilla.novell.com/show_bug.cginvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000