Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
Related vulnerabilities
GSD-2013-4389
Vulnerability from gsd - Updated: 2013-10-16 00:00Details
Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4389",
"description": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.",
"id": "GSD-2013-4389",
"references": [
"https://www.suse.com/security/cve/CVE-2013-4389.html",
"https://www.debian.org/security/2014/dsa-2887",
"https://www.debian.org/security/2014/dsa-2888",
"https://access.redhat.com/errata/RHBA-2015:1100"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionmailer",
"purl": "pkg:gem/actionmailer"
}
}
],
"aliases": [
"CVE-2013-4389",
"OSVDB-98629"
],
"details": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.",
"id": "GSD-2013-4389",
"modified": "2013-10-16T00:00:00.000Z",
"published": "2013-10-16T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4389"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "CVE-2013-4389 rubygem-actionmailer: email address processing DoS"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4389",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "DSA-2887",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2887"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "[ruby-security-ann] 20131016 Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"
},
{
"name": "openSUSE-SU-2013:1931",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"
},
{
"name": "openSUSE-SU-2013:1928",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4389",
"cvss_v2": 4.3,
"date": "2013-10-16",
"description": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.",
"gem": "actionmailer",
"osvdb": 98629,
"patched_versions": [
"\u003e= 3.2.15"
],
"title": "CVE-2013-4389 rubygem-actionmailer: email address processing DoS",
"unaffected_versions": [
"~\u003e 2.3.2"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4389"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.0.0 \u003c3.2.15",
"affected_versions": "All versions starting from 3.0.0 before 3.2.15",
"credit": "Aaron Neyer",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-134",
"CWE-937"
],
"date": "2019-08-08",
"description": "A carefully crafted email address in conjunction with the Action Mailer logger format string could take advantage of a bug in Ruby\u0027s sprintf implementation and possibly lead to a denial of service attack. Impacted Ruby code will look something like this: `\"some string #{user_input}\" % some_number` ",
"fixed_versions": [
"3.2.15"
],
"identifier": "CVE-2013-4389",
"identifiers": [
"CVE-2013-4389"
],
"not_impacted": "4.0.x, 2.3.x",
"package_slug": "gem/actionmailer",
"pubdate": "2013-10-16",
"solution": "Upgrade to 3.2.15.\r\n\r\nIf you aren\u0027t able to upgrade immediately, please check the source link to apply patches.",
"title": "Possible DoS Vulnerability",
"urls": [
"http://seclists.org/oss-sec/2013/q4/118"
],
"uuid": "491cb17f-01de-4133-add2-4c5ae76139dc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "3.2.15",
"versionStartIncluding": "3.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4389"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-134"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ruby-security-ann] 20131016 Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)",
"refsource": "MLIST",
"tags": [
"Broken Link",
"Exploit"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"
},
{
"name": "openSUSE-SU-2013:1928",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"
},
{
"name": "openSUSE-SU-2013:1931",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"name": "DSA-2887",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "http://www.debian.org/security/2014/dsa-2887"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-05-19T16:52Z",
"publishedDate": "2013-10-17T00:55Z"
}
}
}