There is a vulnerability in the sendmail delivery agent of the
Mail gem that could allow an attacker to pass arbitrary commands
to the system.

Versions Affected: Versions 2.2.14 or earlier
Not affected: Any application not using sendmail delivery
Fixed Versions: 2.2.15 or later

More information in the original post here