4.3
CVSSv2

CVE-2013-4389

Published: 17/10/2013 Updated: 08/08/2019
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
VMScore: 383
Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P

Vulnerability Summary

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x prior to 3.2.15 allow remote malicious users to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.

Affected Products

Vendor Product Versions
RubyonrailsRails3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.16, 3.0.17, 3.0.18, 3.0.19, 3.0.20, 3.1.0, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.1.9, 3.1.10, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 3.2.7, 3.2.8, 3.2.9, 3.2.10, 3.2.11, 3.2.12, 3.2.13
RubyonrailsRuby On Rails3.0.4, 3.2.14

Vendor Advisories

Debian Bug report logs - #726576 ruby-actionmailer-32: Possible DoS Vulnerability in Action Mailer (CVE-2013-4389) Package: ruby-actionmailer-32; Maintainer for ruby-actionmailer-32 is (unknown); Reported by: Yves-Alexis Perez <corsac@debianorg> Date: Wed, 16 Oct 2013 20:00:02 UTC Severity: grave Tags: security Fixed ...
Aaron Neyer discovered that missing input sanitising in the logging component of Ruby Actionmailer could result in denial of service through a malformed e-mail message For the stable distribution (wheezy), this problem has been fixed in version 326-2+deb7u1 ruby-activesupport-32 was updated in a related change to version 326-6+deb7u1 For th ...
Multiple format string vulnerabilities in log_subscriberrb files in the log subscriber component in Action Mailer in Ruby on Rails 3x before 3215 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message ...