RubySec

Providing security resources for the Ruby community

CVE-2013-4389 (actionmailer): Action Mailer Gem for Ruby contains a possible DoS Vulnerability

ADVISORIES

GEM

actionmailer

SEVERITY

CVSS v2: 4.3

UNAFFECTED VERSIONS

  • ~> 2.3.2

PATCHED VERSIONS

  • >= 3.2.15

DESCRIPTION

Action Mailer Gem for Ruby contains a format string flaw in the Log Subscriber component. The issue is triggered as format string specifiers (e.g. %s and %x) are not properly sanitized in user-supplied input when handling email addresses. This may allow a remote attacker to cause a denial of service