{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2013-10-16T00:00:00", "descriptions": [{"lang": "en", "value": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2014-03-28T12:57:00", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "DSA-2887", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2887"}, {"name": "openSUSE-SU-2014:0009", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"}, {"name": "[ruby-security-ann] 20131016 Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"}, {"name": "openSUSE-SU-2013:1931", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"}, {"name": "openSUSE-SU-2013:1928", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"}, {"name": "DSA-2888", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "http://www.debian.org/security/2014/dsa-2888"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2013-4389", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "DSA-2887", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2887"}, {"name": "openSUSE-SU-2014:0009", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"}, {"name": "[ruby-security-ann] 20131016 Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)", "refsource": "MLIST", "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"}, {"name": "openSUSE-SU-2013:1931", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"}, {"name": "openSUSE-SU-2013:1928", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"}, {"name": "DSA-2888", "refsource": "DEBIAN", "url": "http://www.debian.org/security/2014/dsa-2888"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T16:45:13.235Z"}, "title": "CVE Program Container", "references": [{"name": "DSA-2887", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2887"}, {"name": "openSUSE-SU-2014:0009", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"}, {"name": "[ruby-security-ann] 20131016 Possible DoS Vulnerability in Action Mailer (CVE-2013-4389)", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"}, {"name": "openSUSE-SU-2013:1931", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"}, {"name": "openSUSE-SU-2013:1928", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"}, {"name": "DSA-2888", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "http://www.debian.org/security/2014/dsa-2888"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2013-4389", "datePublished": "2013-10-17T00:00:00", "dateReserved": "2013-06-12T00:00:00", "dateUpdated": "2024-08-06T16:45:13.235Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*", "matchCriteriaId": "393CE9B0-AD9B-4A51-AC58-CF10BF115251", "versionEndExcluding": "3.2.15", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*", "matchCriteriaId": "D806A17E-B8F9-466D-807D-3F1E77603DC8", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:12.3:*:*:*:*:*:*:*", "matchCriteriaId": "DFBF430B-0832-44B0-AA0E-BA9E467F7668", "vulnerable": true}, {"criteria": "cpe:2.3:o:opensuse:opensuse:13.1:*:*:*:*:*:*:*", "matchCriteriaId": "A10BC294-9196-425F-9FB0-B1625465B47F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "16F59A04-14CF-49E2-9973-645477EA09DA", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."}, {"lang": "es", "value": "M\u00faltiples vulnerabilidadews de format string en archivos log_subscriber.rb en el componente de suscripci\u00f3n de log de Action Mailer en Ruby on Rails 3.x anterior a 3.2.15 permite a atacantes remotos causar una denegaci\u00f3n de servicio a trav\u00e9s de una direcci\u00f3n de email manipulada que es manejada de manera inapropiada durante la construcci\u00f3n de un mensaje de log."}], "id": "CVE-2013-4389", "lastModified": "2025-04-11T00:51:21.963", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 4.3, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2013-10-17T00:55:03.320", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2014/dsa-2887"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2014/dsa-2888"}, {"source": "secalert@redhat.com", "tags": ["Broken Link", "Exploit"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2014/dsa-2887"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.debian.org/security/2014/dsa-2888"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Broken Link", "Exploit"], "url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-134"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Ruby on Rails project for reporting this issue. Upstream acknowledges Aaron Neyer as the original reporter.", "affected_release": [{"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "cfme-0:5.4.0.5-1.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "cfme-gemset-0:5.4.0.5-1.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "cfme-vnc-plugin-0:1.0.0-2.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "libdnet-0:1.12-11.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "lshw-0:B.02.16-4.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "netapp-manageability-sdk-0:4.0P1-3.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "open-vm-tools-0:9.2.3-5.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "prince-0:9.0r2-4.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "pyliblzma-0:0.5.3-7.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-bcrypt-ruby-0:3.0.1-2.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-eventmachine-0:1.0.7-2.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-ffi-0:1.9.8-1.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-io-extra-0:1.2.8-1.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-json-0:1.8.2-2.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-nokogiri-0:1.5.11-2.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-pg-0:0.12.2-9.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-psych-0:2.0.13-1.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-qpid_messaging-0:0.20.2-5.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-therubyracer-0:0.11.0-5.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "ruby200-rubygem-thin-0:1.3.1-9.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "sneakernet_ca-0:0.1-2.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}, {"advisory": "RHBA-2015:1100", "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6", "package": "wmi-0:1.3.14-1.el6cf", "product_name": "CloudForms Management Engine 5.4", "release_date": "2015-06-16T00:00:00Z"}], "bugzilla": {"description": "rubygem-actionmailer: email address processing DoS", "id": "1013913", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1013913"}, "csaw": false, "cvss": {"cvss_base_score": "5.0", "cvss_scoring_vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "status": "verified"}, "cwe": "CWE-134", "details": ["Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message."], "name": "CVE-2013-4389", "package_state": [{"cpe": "cpe:/a:redhat:openshift:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionmailer", "product_name": "OpenShift Enterprise 1"}, {"cpe": "cpe:/a:redhat:openstack:3", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionmailer", "product_name": "Red Hat OpenStack Platform 3"}, {"cpe": "cpe:/a:redhat:openstack:4", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionmailer", "product_name": "Red Hat OpenStack Platform 4"}, {"cpe": "cpe:/a:redhat:satellite:6", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionmailer", "product_name": "Red Hat Satellite 6"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionmailer", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Will not fix", "package_name": "ruby193-rubygem-actionmailer", "product_name": "Red Hat Subscription Asset Manager"}, {"cpe": "cpe:/a:rhel_sam:1", "fix_state": "Not affected", "package_name": "rubygem-actionmailer", "product_name": "Red Hat Subscription Asset Manager"}], "public_date": "2013-10-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2013-4389\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-4389"], "statement": "Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.\nThis issue did not affect the versions of rubygem-actionmailer as shipped with Red Hat Subscription Asset Manager 1 as they do not include support for sending email using user supplied addresses.", "threat_severity": "Low"}