4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:N/A:P
0.011 Low
EPSS
Percentile
83.9%
Multiple format string vulnerabilities in log_subscriber.rb files in the
log subscriber component in Action Mailer in Ruby on Rails 3.x before
3.2.15 allow remote attackers to cause a denial of service via a crafted
e-mail address that is improperly handled during construction of a log
message.
Author | Note |
---|---|
mdeslaur | in Oneiric+, rails package is just for transition |
seth-arnold | Only 3.x.x is affected; earlier and 4.0.x are safe The patch standardizes some log handling across multiple packages, but the security fix looks restricted to just one line in action mailer: info("\nSent mail to #{recipients} … the other packages can be left alone. |