{"url":"http://public2.vulnerablecode.io/api/packages/158772?format=json","purl":"pkg:gem/actionmailer@3.2.0","type":"gem","namespace":"","name":"actionmailer","version":"3.2.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"6.1.7.9","latest_non_vulnerable_version":"7.2.1.1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/37587?format=json","vulnerability_id":"VCID-3djc-6nq8-43er","summary":"Possible DoS Vulnerability\nA carefully crafted email address in conjunction with the Action Mailer logger format string could take advantage of a bug in Ruby's sprintf implementation and possibly lead to a denial of service attack. Impacted Ruby code will look something like this: `\"some string #{user_input}\" % some_number`","references":[{"reference_url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00091.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2013-12/msg00094.html"},{"reference_url":"http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"},{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4389.json","reference_id":"","reference_type":"","scores":[],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-4389.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4389","reference_id":"","reference_type":"","scores":[{"value":"0.01333","scoring_system":"epss","scoring_elements":"0.80329","published_at":"2026-06-05T12:55:00Z"},{"value":"0.01333","scoring_system":"epss","scoring_elements":"0.80304","published_at":"2026-06-04T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2013-4389"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4389"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4491"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6414"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6415"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6417"},{"reference_url":"http://seclists.org/oss-sec/2013/q4/118","reference_id":"","reference_type":"","scores":[],"url":"http://seclists.org/oss-sec/2013/q4/118"},{"reference_url":"https://github.com/advisories/GHSA-rg5m-3fqp-6px8","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rg5m-3fqp-6px8"},{"reference_url":"https://github.com/rails/rails/tree/main/actionmailer","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails/tree/main/actionmailer"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2013-4389.yml","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2013-4389.yml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4389","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2013-4389"},{"reference_url":"https://web.archive.org/web/20201208175929/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://web.archive.org/web/20201208175929/https://groups.google.com/forum/message/raw?msg=ruby-security-ann/yvlR1Vx44c8/elKJkpO2KVgJ"},{"reference_url":"http://www.debian.org/security/2014/dsa-2887","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2014/dsa-2887"},{"reference_url":"http://www.debian.org/security/2014/dsa-2888","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"http://www.debian.org/security/2014/dsa-2888"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=1013913","reference_id":"1013913","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=1013913"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/51637?format=json","purl":"pkg:gem/actionmailer@3.2.15","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72vg-y91y-skh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@3.2.15"},{"url":"http://public2.vulnerablecode.io/api/packages/158804?format=json","purl":"pkg:gem/actionmailer@4.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3djc-6nq8-43er"},{"vulnerability":"VCID-72vg-y91y-skh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@4.0.0.beta1"}],"aliases":["CVE-2013-4389","GHSA-rg5m-3fqp-6px8","OSV-98629"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3djc-6nq8-43er"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/51560?format=json","vulnerability_id":"VCID-72vg-y91y-skh4","summary":"Possible ReDoS vulnerability in block_format in Action Mailer\nThere is a possible ReDoS vulnerability in the block_format helper\nin Action Mailer. This vulnerability has been assigned the\nCVE identifier CVE-2024-47889.\n\n## Impact\n\nCarefully crafted text can cause the block_format helper to take an\nunexpected amount of time, possibly resulting in a DoS vulnerability.\nAll users running an affected release should either upgrade or apply\nthe relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications\nusing Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires\nRuby 3.2 or greater so is unaffected.\n\n## Releases\n\nThe fixed releases are available at the normal locations.\n\n## Workarounds\n\nUsers can avoid calling the `block_format` helper or upgrade\nto Ruby 3.2.\n\n##Credits\n\nThanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json","reference_id":"","reference_type":"","scores":[{"value":"3.7","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47889","reference_id":"","reference_type":"","scores":[{"value":"0.00317","scoring_system":"epss","scoring_elements":"0.55135","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-47889"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"5.9","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/rails/rails","reference_id":"","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rails/rails"},{"reference_url":"https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6","reference_id":"","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/"}],"url":"https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6"},{"reference_url":"https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94","reference_id":"0e5694f4d32544532d2301a9b4084eacb6986e94","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/"}],"url":"https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376","reference_id":"1085376","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319033","reference_id":"2319033","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2319033"},{"reference_url":"https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3","reference_id":"3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/"}],"url":"https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3"},{"reference_url":"https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9","reference_id":"985f1923fa62806ff676e41de67c3b4552131ab9","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/"}],"url":"https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9"},{"reference_url":"https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e","reference_id":"be898cc996986decfe238341d96b2a6573b8fd2e","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/"}],"url":"https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47889","reference_id":"CVE-2024-47889","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-47889"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml","reference_id":"CVE-2024-47889.YML","reference_type":"","scores":[{"value":"6.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml"},{"reference_url":"https://github.com/advisories/GHSA-h47h-mwp9-c6q6","reference_id":"GHSA-h47h-mwp9-c6q6","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-h47h-mwp9-c6q6"},{"reference_url":"https://usn.ubuntu.com/7290-1/","reference_id":"USN-7290-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/7290-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/82984?format=json","purl":"pkg:gem/actionmailer@6.1.7.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@6.1.7.9"},{"url":"http://public2.vulnerablecode.io/api/packages/170646?format=json","purl":"pkg:gem/actionmailer@7.0.0.alpha1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72vg-y91y-skh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@7.0.0.alpha1"},{"url":"http://public2.vulnerablecode.io/api/packages/82985?format=json","purl":"pkg:gem/actionmailer@7.0.8.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@7.0.8.5"},{"url":"http://public2.vulnerablecode.io/api/packages/170674?format=json","purl":"pkg:gem/actionmailer@7.1.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72vg-y91y-skh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@7.1.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/82986?format=json","purl":"pkg:gem/actionmailer@7.1.4.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@7.1.4.1"},{"url":"http://public2.vulnerablecode.io/api/packages/170685?format=json","purl":"pkg:gem/actionmailer@7.2.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72vg-y91y-skh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@7.2.0.beta1"},{"url":"http://public2.vulnerablecode.io/api/packages/82987?format=json","purl":"pkg:gem/actionmailer@7.2.1.1","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@7.2.1.1"},{"url":"http://public2.vulnerablecode.io/api/packages/170690?format=json","purl":"pkg:gem/actionmailer@8.0.0.beta1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-72vg-y91y-skh4"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@8.0.0.beta1"}],"aliases":["CVE-2024-47889","GHSA-h47h-mwp9-c6q6"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-72vg-y91y-skh4"}],"fixing_vulnerabilities":[],"risk_score":"3.1","resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/actionmailer@3.2.0"}