Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
History

Thu, 17 Oct 2024 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Rubyonrails
Rubyonrails rails
CPEs cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Vendors & Products Rubyonrails
Rubyonrails rails
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 16 Oct 2024 21:00:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE. Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.
Title rubygem-actionmailer: Possible ReDoS vulnerability in block_format in Action Mailer Action Mailer has possible ReDoS vulnerability in block_format
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 6.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U'}


Wed, 16 Oct 2024 13:15:00 +0000

Type Values Removed Values Added
Description No description is available for this CVE.
Title rubygem-actionmailer: Possible ReDoS vulnerability in block_format in Action Mailer
Weaknesses CWE-1337
References
Metrics threat_severity

None

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Low


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-10-16T20:55:33.958Z

Updated: 2024-10-17T16:31:00.794Z

Reserved: 2024-10-04T16:00:09.632Z

Link: CVE-2024-47889

cve-icon Vulnrichment

Updated: 2024-10-17T16:30:53.694Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2024-10-16T21:15:13.320

Modified: 2024-10-18T12:53:04.627

Link: CVE-2024-47889

cve-icon Redhat

Severity : Low

Publid Date: 2024-10-15T23:35:38Z

Links: CVE-2024-47889 - Bugzilla