RubySec

Providing security resources for the Ruby community

CVE-2013-4389 (actionmailer): CVE-2013-4389 rubygem-actionmailer: email address processing DoS

ADVISORIES

GEM

actionmailer

SEVERITY

CVSS v2: 4.3 (Medium)

UNAFFECTED VERSIONS

  • ~> 2.3.2

PATCHED VERSIONS

  • >= 3.2.15

DESCRIPTION

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.