CVE-2013-4389 — ruby-actionpack-3.2 - security update

Description

Multiple format string vulnerabilities in log_subscriber.rb files in the log subscriber component in Action Mailer in Ruby on Rails 3.x before 3.2.15 allow remote attackers to cause a denial of service via a crafted e-mail address that is improperly handled during construction of a log message.

How to fix CVE-2013-4389

To remediate CVE-2013-4389, upgrade the affected package to a fixed version below.

Debian/ruby-actionmailer-3.2—upgrade to 3.2.6-2+deb7u1 or later
Debian/ruby-actionpack-3.2—upgrade to 3.2.6-6+deb7u1 or later
—upgrade to 3.2.15 or later

Is CVE-2013-4389 being exploited?

Low — EPSS is 1.3%, meaning exploitation activity has not been observed at scale.

Affected packages (3)

from 0, < 3.2.6-2+deb7u1
from 0, < 3.2.6-6+deb7u1
>= 3.0.0, < 3.2.15

References (10)

ADVISORYgithub.com/advisories/GHSA-rg5m-3fqp-6px8
ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-4389
PATCHgithub.com/rails/rails/tree/main/actionmailer
WEBlists.opensuse.org/opensuse-updates/2013-12/msg00091.html
WEB