CVE-2013-4389 — Use of Externally-Controlled Format String in Rails

CWE-134 — Use of Externally-Controlled Format String9 documents7 sources

Severity

4.3MEDIUMNVD

EPSS

1.3%

top 20.01%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Debian Linux Opensuse

Timeline

PublishedOct 17

Latest updateOct 24

Description

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.

CVSS vector

AV:N/AC:M/C:N/I:N/A:PExploitability: 8.6 | Impact: 2.9

Affected Packages2 packages

▶NVDrubyonrails/rails3.0.0 — 3.2.15

▶NVDopensuse/opensuse12.2, 12.3, 13.1+2

Also affects: Debian Linux 7.0

🔴Vulnerability Details

GHSA

actionmailer email address processing causes Denial of service↗2017-10-24

▶

OSV

actionmailer email address processing causes Denial of service↗2017-10-24

▶

OSV

CVE-2013-4389: Multiple format string vulnerabilities in log_subscriber↗2013-10-17

▶

CVEList

CVE-2013-4389: Multiple format string vulnerabilities in log_subscriber↗2013-10-17

▶

📋Vendor Advisories

Red Hat

rubygem-actionmailer: email address processing DoS↗2013-10-16

▶

Debian

CVE-2013-4389: rails - Multiple format string vulnerabilities in log_subscriber.rb files in the log sub...↗2013

▶

💬Community

Bugzilla

CVE-2013-4389 rubygem-actionmailer: email address processing DoS [fedora-all]↗2013-11-27

▶

Bugzilla

CVE-2013-4389 rubygem-actionmailer: email address processing DoS↗2013-10-01

▶