cvelistv5 - cve-2024-47889

CVE-2024-47889 (GCVE-0-2024-47889)

Vulnerability from cvelistv5 – Published: 2024-10-16 20:55 – Updated: 2024-10-17 16:31

Summary

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Severity ?

6.6 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

CWE

CWE-1333 - Inefficient Regular Expression Complexity

Assigner

GitHub_M

References

URL

Tags

	https://github.com/rails/rails/security/advisorie…	x_refsource_CONFIRM
	https://github.com/rails/rails/commit/0e5694f4d32…	x_refsource_MISC
	https://github.com/rails/rails/commit/3612e3eb3fb…	x_refsource_MISC
	https://github.com/rails/rails/commit/985f1923fa6…	x_refsource_MISC
	https://github.com/rails/rails/commit/be898cc9969…	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	rails	rails	Affected: >= 3.0.0, < 6.1.7.9 Affected: >= 7.0.0, < 7.0.8.5 Affected: >= 7.1.0, < 7.1.4.1 Affected: >= 7.2.0, < 7.2.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "rails",
            "vendor": "rubyonrails",
            "versions": [
              {
                "lessThan": "6.1.7.9",
                "status": "affected",
                "version": "3.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "7.0.8.5",
                "status": "affected",
                "version": "7.0.0",
                "versionType": "custom"
              },
              {
                "lessThan": "7.1.4.1",
                "status": "affected",
                "version": "7.1.0",
                "versionType": "custom"
              },
              {
                "lessThan": "7.2.1.1",
                "status": "affected",
                "version": "7.2.0",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-47889",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-17T16:27:30.699423Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-17T16:31:00.794Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "rails",
          "vendor": "rails",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 3.0.0, \u003c 6.1.7.9"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.0.8.5"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.1.0, \u003c 7.1.4.1"
            },
            {
              "status": "affected",
              "version": "\u003e= 7.2.0, \u003c 7.2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 6.6,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "NONE"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1333",
              "description": "CWE-1333: Inefficient Regular Expression Complexity",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-16T20:55:33.958Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6"
        },
        {
          "name": "https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94"
        },
        {
          "name": "https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3"
        },
        {
          "name": "https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9"
        },
        {
          "name": "https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e"
        }
      ],
      "source": {
        "advisory": "GHSA-h47h-mwp9-c6q6",
        "discovery": "UNKNOWN"
      },
      "title": "Action Mailer has possible ReDoS vulnerability in block_format"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2024-47889",
    "datePublished": "2024-10-16T20:55:33.958Z",
    "dateReserved": "2024-10-04T16:00:09.632Z",
    "dateUpdated": "2024-10-17T16:31:00.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.\"}, {\"lang\": \"es\", \"value\": \"Action Mailer es un framework para dise\\u00f1ar capas de servicio de correo electr\\u00f3nico. A partir de la versi\\u00f3n 3.0.0 y anteriores a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 y 7.2.1.1, existe una posible vulnerabilidad de ReDoS en el asistente block_format de Action Mailer. Un texto cuidadosamente elaborado puede hacer que el asistente block_format tarde una cantidad inesperada de tiempo, lo que puede dar como resultado una vulnerabilidad de DoS. Todos los usuarios que ejecuten una versi\\u00f3n afectada deben actualizar a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 o 7.2.1.1 o aplicar el parche correspondiente de inmediato. Como workaround, los usuarios pueden evitar llamar al asistente `block_format` o actualizar a Ruby 3.2. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rails que usan Ruby 3.2 o versiones m\\u00e1s nuevas no se ven afectadas. Rails 8.0.0.beta1 requiere Ruby 3.2 o superior, por lo que no se ve afectado.\"}]",
      "id": "CVE-2024-47889",
      "lastModified": "2024-10-18T12:53:04.627",
      "metrics": "{\"cvssMetricV40\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"4.0\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\", \"baseScore\": 6.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"vulnerableSystemConfidentiality\": \"NONE\", \"vulnerableSystemIntegrity\": \"NONE\", \"vulnerableSystemAvailability\": \"HIGH\", \"subsequentSystemConfidentiality\": \"NONE\", \"subsequentSystemIntegrity\": \"NONE\", \"subsequentSystemAvailability\": \"NONE\", \"exploitMaturity\": \"UNREPORTED\", \"confidentialityRequirements\": \"NOT_DEFINED\", \"integrityRequirements\": \"NOT_DEFINED\", \"availabilityRequirements\": \"NOT_DEFINED\", \"modifiedAttackVector\": \"NOT_DEFINED\", \"modifiedAttackComplexity\": \"NOT_DEFINED\", \"modifiedAttackRequirements\": \"NOT_DEFINED\", \"modifiedPrivilegesRequired\": \"NOT_DEFINED\", \"modifiedUserInteraction\": \"NOT_DEFINED\", \"modifiedVulnerableSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedVulnerableSystemIntegrity\": \"NOT_DEFINED\", \"modifiedVulnerableSystemAvailability\": \"NOT_DEFINED\", \"modifiedSubsequentSystemConfidentiality\": \"NOT_DEFINED\", \"modifiedSubsequentSystemIntegrity\": \"NOT_DEFINED\", \"modifiedSubsequentSystemAvailability\": \"NOT_DEFINED\", \"safety\": \"NOT_DEFINED\", \"automatable\": \"NOT_DEFINED\", \"recovery\": \"NOT_DEFINED\", \"valueDensity\": \"NOT_DEFINED\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\"}}]}",
      "published": "2024-10-16T21:15:13.320",
      "references": "[{\"url\": \"https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e\", \"source\": \"security-advisories@github.com\"}, {\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6\", \"source\": \"security-advisories@github.com\"}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Awaiting Analysis",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-1333\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-47889\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2024-10-16T21:15:13.320\",\"lastModified\":\"2024-10-18T12:53:04.627\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.\"},{\"lang\":\"es\",\"value\":\"Action Mailer es un framework para dise\u00f1ar capas de servicio de correo electr\u00f3nico. A partir de la versi\u00f3n 3.0.0 y anteriores a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 y 7.2.1.1, existe una posible vulnerabilidad de ReDoS en el asistente block_format de Action Mailer. Un texto cuidadosamente elaborado puede hacer que el asistente block_format tarde una cantidad inesperada de tiempo, lo que puede dar como resultado una vulnerabilidad de DoS. Todos los usuarios que ejecuten una versi\u00f3n afectada deben actualizar a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 o 7.2.1.1 o aplicar el parche correspondiente de inmediato. Como workaround, los usuarios pueden evitar llamar al asistente `block_format` o actualizar a Ruby 3.2. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rails que usan Ruby 3.2 o versiones m\u00e1s nuevas no se ven afectadas. Rails 8.0.0.beta1 requiere Ruby 3.2 o superior, por lo que no se ve afectado.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"UNREPORTED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-1333\"}]}],\"references\":[{\"url\":\"https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-47889\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-10-17T16:27:30.699423Z\"}}}], \"affected\": [{\"cpes\": [\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\"], \"vendor\": \"rubyonrails\", \"product\": \"rails\", \"versions\": [{\"status\": \"affected\", \"version\": \"3.0.0\", \"lessThan\": \"6.1.7.9\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.0.0\", \"lessThan\": \"7.0.8.5\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.1.0\", \"lessThan\": \"7.1.4.1\", \"versionType\": \"custom\"}, {\"status\": \"affected\", \"version\": \"7.2.0\", \"lessThan\": \"7.2.1.1\", \"versionType\": \"custom\"}], \"defaultStatus\": \"unknown\"}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-10-17T16:30:53.694Z\"}}], \"cna\": {\"title\": \"Action Mailer has possible ReDoS vulnerability in block_format\", \"source\": {\"advisory\": \"GHSA-h47h-mwp9-c6q6\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.6, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"rails\", \"product\": \"rails\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 3.0.0, \u003c 6.1.7.9\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.0.0, \u003c 7.0.8.5\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.1.0, \u003c 7.1.4.1\"}, {\"status\": \"affected\", \"version\": \"\u003e= 7.2.0, \u003c 7.2.1.1\"}]}], \"references\": [{\"url\": \"https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6\", \"name\": \"https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94\", \"name\": \"https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3\", \"name\": \"https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9\", \"name\": \"https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e\", \"name\": \"https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-1333\", \"description\": \"CWE-1333: Inefficient Regular Expression Complexity\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2024-10-16T20:55:33.958Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-47889\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-10-17T16:31:00.794Z\", \"dateReserved\": \"2024-10-04T16:00:09.632Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2024-10-16T20:55:33.958Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

OPENSUSE-SU-2024:14471-1

Vulnerability from csaf_opensuse - Published: 2024-11-07 00:00 - Updated: 2024-11-07 00:00

Summary

ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1 on GA media

Notes

Title of the patch

ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1 on GA media

Description of the patch

These are all security issues fixed in the ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14471

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14471",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14471-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:14471-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E5RFF3ZIT4H2PQE3C2J6GEEUHXNGWLFM/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:14471-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E5RFF3ZIT4H2PQE3C2J6GEEUHXNGWLFM/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47889 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47889/"
      }
    ],
    "title": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-11-07T00:00:00Z",
      "generator": {
        "date": "2024-11-07T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14471-1",
      "initial_release_date": "2024-11-07T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-11-07T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47889",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47889"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47889",
          "url": "https://www.suse.com/security/cve/CVE-2024-47889"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231723 for CVE-2024-47889",
          "url": "https://bugzilla.suse.com/1231723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-actionmailer-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-07T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47889"
    }
  ]
}

OPENSUSE-SU-2024:14479-1

Vulnerability from csaf_opensuse - Published: 2024-11-08 00:00 - Updated: 2024-11-08 00:00

Summary

ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1 on GA media

Notes

Title of the patch

ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1 on GA media

Description of the patch

These are all security issues fixed in the ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2024-14479

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2024-14479",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14479-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2024:14479-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2ZXD3WUVCXVEO5FFUTSYTZJ7QX6AZ2IV/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2024:14479-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2ZXD3WUVCXVEO5FFUTSYTZJ7QX6AZ2IV/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-41128 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-41128/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47887 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47887/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47888 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47888/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47889 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47889/"
      }
    ],
    "title": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1 on GA media",
    "tracking": {
      "current_release_date": "2024-11-08T00:00:00Z",
      "generator": {
        "date": "2024-11-08T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2024:14479-1",
      "initial_release_date": "2024-11-08T00:00:00Z",
      "revision_history": [
        {
          "date": "2024-11-08T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
                "product": {
                  "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
                  "product_id": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
                "product": {
                  "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
                  "product_id": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
                "product": {
                  "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
                  "product_id": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64",
                "product": {
                  "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64",
                  "product_id": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64"
        },
        "product_reference": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le"
        },
        "product_reference": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x"
        },
        "product_reference": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
        },
        "product_reference": "ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-41128",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-41128"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-41128",
          "url": "https://www.suse.com/security/cve/CVE-2024-41128"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231730 for CVE-2024-41128",
          "url": "https://bugzilla.suse.com/1231730"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-41128"
    },
    {
      "cve": "CVE-2024-47887",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47887"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller\u0027s HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47887",
          "url": "https://www.suse.com/security/cve/CVE-2024-47887"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231729 for CVE-2024-47887",
          "url": "https://bugzilla.suse.com/1231729"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47887"
    },
    {
      "cve": "CVE-2024-47888",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47888"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47888",
          "url": "https://www.suse.com/security/cve/CVE-2024-47888"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231724 for CVE-2024-47888",
          "url": "https://bugzilla.suse.com/1231724"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47888"
    },
    {
      "cve": "CVE-2024-47889",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47889"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
          "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47889",
          "url": "https://www.suse.com/security/cve/CVE-2024-47889"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231723 for CVE-2024-47889",
          "url": "https://bugzilla.suse.com/1231723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.aarch64",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.ppc64le",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.s390x",
            "openSUSE Tumbleweed:ruby3.3-rubygem-rails-7.0-7.0.8.6-1.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-08T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47889"
    }
  ]
}

OPENSUSE-SU-2025:15124-1

Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00

Summary

ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3 on GA media

Notes

Title of the patch

ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3 on GA media

Description of the patch

These are all security issues fixed in the ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15124

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15124",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15124-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:15124-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3C5WPU2RXUSPKAI3EANLIGCY34ZDBZ4Y/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:15124-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3C5WPU2RXUSPKAI3EANLIGCY34ZDBZ4Y/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2023-38037 page",
        "url": "https://www.suse.com/security/cve/CVE-2023-38037/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-26143 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-26143/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-28103 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-28103/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-34341 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-34341/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-41128 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-41128/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47887 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47887/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47888 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47888/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47889 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47889/"
      }
    ],
    "title": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3 on GA media",
    "tracking": {
      "current_release_date": "2025-05-17T00:00:00Z",
      "generator": {
        "date": "2025-05-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15124-1",
      "initial_release_date": "2025-05-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-05-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
                  "product_id": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
                  "product_id": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
                  "product_id": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64",
                  "product_id": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x"
        },
        "product_reference": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2023-38037",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2023-38037"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "ActiveSupport::EncryptedFile writes contents that will be encrypted to a\r\ntemporary file.  The temporary file\u0027s permissions are defaulted to the user\u0027s\r\ncurrent `umask` settings, meaning that it\u0027s possible for other users on the\r\nsame system to read the contents of the temporary file.\r\n\r\nAttackers that have access to the file system could possibly read the contents\r\nof this temporary file while a user is editing it.\r\n\r\nAll users running an affected release should either upgrade or use one of the\r\nworkarounds immediately.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2023-38037",
          "url": "https://www.suse.com/security/cve/CVE-2023-38037"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1214807 for CVE-2023-38037",
          "url": "https://bugzilla.suse.com/1214807"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2023-38037"
    },
    {
      "cve": "CVE-2024-26143",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-26143"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Rails is a web-application framework. There is a possible XSS vulnerability when using the translation helpers in Action Controller. Applications using translation methods like translate, or t on a controller, with a key ending in \"_html\", a :default key which contains untrusted user input, and the resulting string is used in a view, may be susceptible to an XSS vulnerability. The vulnerability is fixed in 7.1.3.1 and 7.0.8.1.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-26143",
          "url": "https://www.suse.com/security/cve/CVE-2024-26143"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1220522 for CVE-2024-26143",
          "url": "https://bugzilla.suse.com/1220522"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.4,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-26143"
    },
    {
      "cve": "CVE-2024-28103",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-28103"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. Since 6.1.0, the application configurable Permissions-Policy is only served on responses with an HTML related Content-Type. This vulnerability is fixed in  6.1.7.8, 7.0.8.2, and 7.1.3.3.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-28103",
          "url": "https://www.suse.com/security/cve/CVE-2024-28103"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1225996 for CVE-2024-28103",
          "url": "https://bugzilla.suse.com/1225996"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-28103"
    },
    {
      "cve": "CVE-2024-34341",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-34341"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Trix is a rich text editor. The Trix editor, versions prior to 2.1.1, is vulnerable to arbitrary code execution when copying and pasting content from the web or other documents with markup into the editor. The vulnerability stems from improper sanitization of pasted content, allowing an attacker to embed malicious scripts which are executed within the context of the application. Users should upgrade to Trix editor version 2.1.1 or later, which incorporates proper sanitization of input from copied content.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-34341",
          "url": "https://www.suse.com/security/cve/CVE-2024-34341"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "not set"
        }
      ],
      "title": "CVE-2024-34341"
    },
    {
      "cve": "CVE-2024-41128",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-41128"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-41128",
          "url": "https://www.suse.com/security/cve/CVE-2024-41128"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231730 for CVE-2024-41128",
          "url": "https://bugzilla.suse.com/1231730"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-41128"
    },
    {
      "cve": "CVE-2024-47887",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47887"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller\u0027s HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may choose to use Ruby 3.2 as a workaround.Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47887",
          "url": "https://www.suse.com/security/cve/CVE-2024-47887"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231729 for CVE-2024-47887",
          "url": "https://bugzilla.suse.com/1231729"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47887"
    },
    {
      "cve": "CVE-2024-47888",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47888"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47888",
          "url": "https://www.suse.com/security/cve/CVE-2024-47888"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231724 for CVE-2024-47888",
          "url": "https://bugzilla.suse.com/1231724"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47888"
    },
    {
      "cve": "CVE-2024-47889",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47889"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47889",
          "url": "https://www.suse.com/security/cve/CVE-2024-47889"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231723 for CVE-2024-47889",
          "url": "https://bugzilla.suse.com/1231723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-rails-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47889"
    }
  ]
}

OPENSUSE-SU-2025:15109-1

Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00

Summary

ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3 on GA media

Notes

Title of the patch

ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3 on GA media

Description of the patch

These are all security issues fixed in the ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3 package on the GA media of openSUSE Tumbleweed.

Patchnames

openSUSE-Tumbleweed-2025-15109

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3 on GA media",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "These are all security issues fixed in the ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3 package on the GA media of openSUSE Tumbleweed.",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "openSUSE-Tumbleweed-2025-15109",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15109-1.json"
      },
      {
        "category": "self",
        "summary": "URL for openSUSE-SU-2025:15109-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4B3C7EQABILQDJAY4PQHNY5OARLFZ6WA/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for openSUSE-SU-2025:15109-1",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4B3C7EQABILQDJAY4PQHNY5OARLFZ6WA/"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47889 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47889/"
      }
    ],
    "title": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3 on GA media",
    "tracking": {
      "current_release_date": "2025-05-17T00:00:00Z",
      "generator": {
        "date": "2025-05-17T00:00:00Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "openSUSE-SU-2025:15109-1",
      "initial_release_date": "2025-05-17T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-05-17T00:00:00Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64",
                  "product_id": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le",
                  "product_id": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x",
                  "product_id": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64",
                "product": {
                  "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64",
                  "product_id": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "openSUSE Tumbleweed",
                "product": {
                  "name": "openSUSE Tumbleweed",
                  "product_id": "openSUSE Tumbleweed",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:tumbleweed"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64 as component of openSUSE Tumbleweed",
          "product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64"
        },
        "product_reference": "ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64",
        "relates_to_product_reference": "openSUSE Tumbleweed"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47889",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47889"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x",
          "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47889",
          "url": "https://www.suse.com/security/cve/CVE-2024-47889"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231723 for CVE-2024-47889",
          "url": "https://bugzilla.suse.com/1231723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.aarch64",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.ppc64le",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.s390x",
            "openSUSE Tumbleweed:ruby3.4-rubygem-actionmailer-7.0-7.0.8.6-1.3.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2025-05-17T00:00:00Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47889"
    }
  ]
}

GHSA-H47H-MWP9-C6Q6

Vulnerability from github – Published: 2024-10-15 23:35 – Updated: 2025-01-07 21:47

Summary

Possible ReDoS vulnerability in block_format in Action Mailer

Details

There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.

Impact

Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.

Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

Users can avoid calling the block_format helper or upgrade to Ruby 3.2

Credits

Thanks to yuki_osaki for the report!

Severity ?

6.6 (Medium)


                  
                    CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "6.1.7.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.0.8.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.1.0"
            },
            {
              "fixed": "7.1.4.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "actionmailer"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.2.0"
            },
            {
              "fixed": "7.2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-47889"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1333"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-10-15T23:35:38Z",
    "nvd_published_at": "2024-10-16T21:15:13Z",
    "severity": "MODERATE"
  },
  "details": "There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889.\n\nImpact\n------\n\nCarefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately.\n\nRuby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.\n\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nUsers can avoid calling the `block_format` helper or upgrade to Ruby 3.2\n\nCredits\n-------\n\nThanks to yuki_osaki for the report!",
  "id": "GHSA-h47h-mwp9-c6q6",
  "modified": "2025-01-07T21:47:36Z",
  "published": "2024-10-15T23:35:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/rails/rails"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Possible ReDoS vulnerability in block_format in Action Mailer"
}

CERTFR-2024-AVI-0889

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.2.x antérieures à 7.2.1.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.0.x antérieures à 7.0.8.5
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.1.x antérieures à 7.1.4.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions antérieures à 6.1.7.9

References

Title

Publication Time

Tags

Bulletin de sécurité Ruby on Rails 87695	2024-10-15	vendor-advisory
Bulletin de sécurité Ruby on Rails 87696	2024-10-15	vendor-advisory
Bulletin de sécurité Ruby on Rails 87698	2024-10-15	vendor-advisory
Bulletin de sécurité Ruby on Rails 87699	2024-10-15	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Ruby on Rails versions 7.2.x ant\u00e9rieures \u00e0 7.2.1.1",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.5",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.4.1",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails versions ant\u00e9rieures \u00e0 6.1.7.9",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-47888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47888"
    },
    {
      "name": "CVE-2024-47887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47887"
    },
    {
      "name": "CVE-2024-28103",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28103"
    },
    {
      "name": "CVE-2024-41128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41128"
    },
    {
      "name": "CVE-2024-32464",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-32464"
    },
    {
      "name": "CVE-2024-47889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47889"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0889",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-10-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
  "vendor_advisories": [
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87695",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-47889-possible-redos-vulnerability-in-block-format-in-action-mailer/87695"
    },
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87696",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-47888-possible-redos-vulnerability-in-plain-text-for-blockquote-node-in-action-text/87696"
    },
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87698",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-47887-possible-redos-vulnerability-in-http-token-authentication-in-action-controller/87698"
    },
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87699",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-41128-possible-redos-vulnerability-in-query-parameter-filtering-in-action-dispatch/87699"
    }
  ]
}

CERTFR-2024-AVI-0889

Vulnerability from certfr_avis - Published: - Updated:

De multiples vulnérabilités ont été découvertes dans Ruby on Rails. Elles permettent à un attaquant de provoquer un déni de service à distance.

Solutions

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

Impacted products

Vendor	Product	Description
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.2.x antérieures à 7.2.1.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.0.x antérieures à 7.0.8.5
Ruby on Rails	Ruby on Rails	Ruby on Rails versions 7.1.x antérieures à 7.1.4.1
Ruby on Rails	Ruby on Rails	Ruby on Rails versions antérieures à 6.1.7.9

References

Title

Publication Time

Tags

Bulletin de sécurité Ruby on Rails 87695	2024-10-15	vendor-advisory
Bulletin de sécurité Ruby on Rails 87696	2024-10-15	vendor-advisory
Bulletin de sécurité Ruby on Rails 87698	2024-10-15	vendor-advisory
Bulletin de sécurité Ruby on Rails 87699	2024-10-15	vendor-advisory

Show details on source website

JSON

To clipboard

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Ruby on Rails versions 7.2.x ant\u00e9rieures \u00e0 7.2.1.1",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails versions 7.0.x ant\u00e9rieures \u00e0 7.0.8.5",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails versions 7.1.x ant\u00e9rieures \u00e0 7.1.4.1",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    },
    {
      "description": "Ruby on Rails versions ant\u00e9rieures \u00e0 6.1.7.9",
      "product": {
        "name": "Ruby on Rails",
        "vendor": {
          "name": "Ruby on Rails",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": "",
  "content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
  "cves": [
    {
      "name": "CVE-2024-47888",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47888"
    },
    {
      "name": "CVE-2024-47887",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47887"
    },
    {
      "name": "CVE-2024-28103",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-28103"
    },
    {
      "name": "CVE-2024-41128",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-41128"
    },
    {
      "name": "CVE-2024-32464",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-32464"
    },
    {
      "name": "CVE-2024-47889",
      "url": "https://www.cve.org/CVERecord?id=CVE-2024-47889"
    }
  ],
  "links": [],
  "reference": "CERTFR-2024-AVI-0889",
  "revisions": [
    {
      "description": "Version initiale",
      "revision_date": "2024-10-16T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service \u00e0 distance"
    }
  ],
  "summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans Ruby on Rails. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service \u00e0 distance.",
  "title": "Multiples vuln\u00e9rabilit\u00e9s dans Ruby on Rails",
  "vendor_advisories": [
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87695",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-47889-possible-redos-vulnerability-in-block-format-in-action-mailer/87695"
    },
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87696",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-47888-possible-redos-vulnerability-in-plain-text-for-blockquote-node-in-action-text/87696"
    },
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87698",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-47887-possible-redos-vulnerability-in-http-token-authentication-in-action-controller/87698"
    },
    {
      "published_at": "2024-10-15",
      "title": "Bulletin de s\u00e9curit\u00e9 Ruby on Rails 87699",
      "url": "https://discuss.rubyonrails.org/t/cve-2024-41128-possible-redos-vulnerability-in-query-parameter-filtering-in-action-dispatch/87699"
    }
  ]
}

FKIE_CVE-2024-47889

Vulnerability from fkie_nvd - Published: 2024-10-16 21:15 - Updated: 2024-10-18 12:53

Severity ?

6.6 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
	security-advisories@github.com	https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
	security-advisories@github.com	https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
	security-advisories@github.com	https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
	security-advisories@github.com	https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected."
    },
    {
      "lang": "es",
      "value": "Action Mailer es un framework para dise\u00f1ar capas de servicio de correo electr\u00f3nico. A partir de la versi\u00f3n 3.0.0 y anteriores a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 y 7.2.1.1, existe una posible vulnerabilidad de ReDoS en el asistente block_format de Action Mailer. Un texto cuidadosamente elaborado puede hacer que el asistente block_format tarde una cantidad inesperada de tiempo, lo que puede dar como resultado una vulnerabilidad de DoS. Todos los usuarios que ejecuten una versi\u00f3n afectada deben actualizar a las versiones 6.1.7.9, 7.0.8.5, 7.1.4.1 o 7.2.1.1 o aplicar el parche correspondiente de inmediato. Como workaround, los usuarios pueden evitar llamar al asistente `block_format` o actualizar a Ruby 3.2. Ruby 3.2 tiene mitigaciones para este problema, por lo que las aplicaciones Rails que usan Ruby 3.2 o versiones m\u00e1s nuevas no se ven afectadas. Rails 8.0.0.beta1 requiere Ruby 3.2 o superior, por lo que no se ve afectado."
    }
  ],
  "id": "CVE-2024-47889",
  "lastModified": "2024-10-18T12:53:04.627",
  "metrics": {
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.6,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "UNREPORTED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-10-16T21:15:13.320",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-1333"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

SUSE-SU-2024:3878-1

Vulnerability from csaf_suse - Published: 2024-11-01 15:32 - Updated: 2024-11-01 15:32

Summary

Security update for rubygem-actionmailer-5_1

Notes

Title of the patch

Security update for rubygem-actionmailer-5_1

Description of the patch

This update for rubygem-actionmailer-5_1 fixes the following issues: - CVE-2024-47889: Fixed Possible ReDoS vulnerability in block_format in Action Mailer (bsc#1231723).

Patchnames

SUSE-2024-3878,SUSE-SLE-Product-HA-15-SP2-2024-3878,SUSE-SLE-Product-HA-15-SP3-2024-3878,SUSE-SLE-Product-HA-15-SP4-2024-3878,SUSE-SLE-Product-HA-15-SP5-2024-3878

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-actionmailer-5_1",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-actionmailer-5_1 fixes the following issues:\n\n- CVE-2024-47889: Fixed Possible ReDoS vulnerability in block_format in Action Mailer (bsc#1231723).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2024-3878,SUSE-SLE-Product-HA-15-SP2-2024-3878,SUSE-SLE-Product-HA-15-SP3-2024-3878,SUSE-SLE-Product-HA-15-SP4-2024-3878,SUSE-SLE-Product-HA-15-SP5-2024-3878",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2024_3878-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2024:3878-1",
        "url": "https://www.suse.com/support/update/announcement/2024/suse-su-20243878-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2024:3878-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019752.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1231723",
        "url": "https://bugzilla.suse.com/1231723"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2024-47889 page",
        "url": "https://www.suse.com/security/cve/CVE-2024-47889/"
      }
    ],
    "title": "Security update for rubygem-actionmailer-5_1",
    "tracking": {
      "current_release_date": "2024-11-01T15:32:27Z",
      "generator": {
        "date": "2024-11-01T15:32:27Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2024:3878-1",
      "initial_release_date": "2024-11-01T15:32:27Z",
      "revision_history": [
        {
          "date": "2024-11-01T15:32:27Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
                  "product_id": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.aarch64",
                  "product_id": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.i586",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.i586",
                  "product_id": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.i586",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.i586",
                  "product_id": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
                  "product_id": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.s390x",
                  "product_id": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.x86_64",
                  "product_id": "ruby2.5-rubygem-actionmailer-doc-5_1-5.1.4-150000.3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP5",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP5",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp5"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP5",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP5"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-47889",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2024-47889"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2024-47889",
          "url": "https://www.suse.com/security/cve/CVE-2024-47889"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1231723 for CVE-2024-47889",
          "url": "https://bugzilla.suse.com/1231723"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-actionmailer-5_1-5.1.4-150000.3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2024-11-01T15:32:27Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2024-47889"
    }
  ]
}

WID-SEC-W-2024-3205

Vulnerability from csaf_certbund - Published: 2024-10-15 22:00 - Updated: 2025-05-18 22:00

Summary

Ruby on Rails: Mehrere Schwachstellen ermöglichen Denial of Service

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.

Angriff

Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Ruby on Rails ausnutzen, um einen Denial of Service Angriff durchzuführen.

Betroffene Betriebssysteme

- UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Ruby on Rails ausnutzen, um einen Denial of Service Angriff durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2024-3205 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3205.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2024-3205 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3205"
      },
      {
        "category": "external",
        "summary": "Rails Security Patches vom 2024-10-15",
        "url": "https://rubyonrails.org/2024/10/15/Rails-Versions-7-0-8-5-7-1-4-1-and-7-2-1-1-have-been-released"
      },
      {
        "category": "external",
        "summary": "Rails Security Announcements vom 2024-10-15",
        "url": "https://discuss.rubyonrails.org/t/cve-2024-47887-possible-redos-vulnerability-in-http-token-authentication-in-action-controller/87698"
      },
      {
        "category": "external",
        "summary": "Rails Security Announcements vom 2024-10-15",
        "url": "https://discuss.rubyonrails.org/t/cve-2024-41128-possible-redos-vulnerability-in-query-parameter-filtering-in-action-dispatch/87699"
      },
      {
        "category": "external",
        "summary": "Rails Security Announcements vom 2024-10-15",
        "url": "https://discuss.rubyonrails.org/t/cve-2024-47888-possible-redos-vulnerability-in-plain-text-for-blockquote-node-in-action-text/87696"
      },
      {
        "category": "external",
        "summary": "Rails Security Announcements vom 2024-10-15",
        "url": "https://discuss.rubyonrails.org/t/cve-2024-47889-possible-redos-vulnerability-in-block-format-in-action-mailer/87695"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3877-1 vom 2024-11-01",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019753.html"
      },
      {
        "category": "external",
        "summary": "SUSE Security Update SUSE-SU-2024:3878-1 vom 2024-11-01",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2024-November/019752.html"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2024:14479-1 vom 2024-11-09",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2ZXD3WUVCXVEO5FFUTSYTZJ7QX6AZ2IV/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2024:14471-1 vom 2024-11-08",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/E5RFF3ZIT4H2PQE3C2J6GEEUHXNGWLFM/"
      },
      {
        "category": "external",
        "summary": "IBM Security Bulletin 7178365 vom 2024-12-10",
        "url": "https://www.ibm.com/support/pages/node/7178365"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-7290-1 vom 2025-02-25",
        "url": "https://ubuntu.com/security/notices/USN-7290-1"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15109-1 vom 2025-05-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/4B3C7EQABILQDJAY4PQHNY5OARLFZ6WA/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15124-1 vom 2025-05-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/3C5WPU2RXUSPKAI3EANLIGCY34ZDBZ4Y/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15111-1 vom 2025-05-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/XJHTNJXYCEBS7N5NPJTMRZTDIN52UBE4/"
      }
    ],
    "source_lang": "en-US",
    "title": "Ruby on Rails: Mehrere Schwachstellen erm\u00f6glichen Denial of Service",
    "tracking": {
      "current_release_date": "2025-05-18T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-19T08:32:00.401+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2024-3205",
      "initial_release_date": "2024-10-15T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2024-10-15T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2024-11-03T23:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von SUSE aufgenommen"
        },
        {
          "date": "2024-11-10T23:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        },
        {
          "date": "2024-12-09T23:00:00.000+00:00",
          "number": "4",
          "summary": "Neue Updates von IBM aufgenommen"
        },
        {
          "date": "2025-02-25T23:00:00.000+00:00",
          "number": "5",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-05-18T22:00:00.000+00:00",
          "number": "6",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "6"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "category": "product_name",
            "name": "IBM License Metric Tool",
            "product": {
              "name": "IBM License Metric Tool",
              "product_id": "T029071",
              "product_identification_helper": {
                "cpe": "cpe:/a:ibm:license_metric_tool:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "IBM"
      },
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c8.0.0.beta1",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c8.0.0.beta1",
                  "product_id": "T038459"
                }
              },
              {
                "category": "product_version",
                "name": "8.0.0.beta1",
                "product": {
                  "name": "Open Source Ruby on Rails 8.0.0.beta1",
                  "product_id": "T038459-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:8.0.0.beta1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.2.1.1",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c7.2.1.1",
                  "product_id": "T038460"
                }
              },
              {
                "category": "product_version",
                "name": "7.2.1.1",
                "product": {
                  "name": "Open Source Ruby on Rails 7.2.1.1",
                  "product_id": "T038460-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:7.2.1.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.1.4.1",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c7.1.4.1",
                  "product_id": "T038461"
                }
              },
              {
                "category": "product_version",
                "name": "7.1.4.1",
                "product": {
                  "name": "Open Source Ruby on Rails 7.1.4.1",
                  "product_id": "T038461-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:7.1.4.1"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c7.0.8.5",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c7.0.8.5",
                  "product_id": "T038462"
                }
              },
              {
                "category": "product_version",
                "name": "7.0.8.5",
                "product": {
                  "name": "Open Source Ruby on Rails 7.0.8.5",
                  "product_id": "T038462-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:7.0.8.5"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c6.1.7.9",
                "product": {
                  "name": "Open Source Ruby on Rails \u003c6.1.7.9",
                  "product_id": "T038463"
                }
              },
              {
                "category": "product_version",
                "name": "6.1.7.9",
                "product": {
                  "name": "Open Source Ruby on Rails 6.1.7.9",
                  "product_id": "T038463-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:rubyonrails:ruby_on_rails:6.1.7.9"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Ruby on Rails"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE Linux",
            "product": {
              "name": "SUSE Linux",
              "product_id": "T002207",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:suse_linux:-"
              }
            }
          },
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-41128",
      "product_status": {
        "known_affected": [
          "T038460",
          "T038461",
          "T038462",
          "T002207",
          "T000126",
          "T027843",
          "T029071",
          "T038459",
          "T038463"
        ]
      },
      "release_date": "2024-10-15T22:00:00.000+00:00",
      "title": "CVE-2024-41128"
    },
    {
      "cve": "CVE-2024-47887",
      "product_status": {
        "known_affected": [
          "T038460",
          "T038461",
          "T038462",
          "T002207",
          "T000126",
          "T027843",
          "T029071",
          "T038459",
          "T038463"
        ]
      },
      "release_date": "2024-10-15T22:00:00.000+00:00",
      "title": "CVE-2024-47887"
    },
    {
      "cve": "CVE-2024-47888",
      "product_status": {
        "known_affected": [
          "T038460",
          "T038461",
          "T038462",
          "T002207",
          "T000126",
          "T027843",
          "T029071",
          "T038459",
          "T038463"
        ]
      },
      "release_date": "2024-10-15T22:00:00.000+00:00",
      "title": "CVE-2024-47888"
    },
    {
      "cve": "CVE-2024-47889",
      "product_status": {
        "known_affected": [
          "T038460",
          "T038461",
          "T038462",
          "T002207",
          "T000126",
          "T027843",
          "T029071",
          "T038459",
          "T038463"
        ]
      },
      "release_date": "2024-10-15T22:00:00.000+00:00",
      "title": "CVE-2024-47889"
    }
  ]
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2024-47889 (GCVE-0-2024-47889)

Impact

Releases

Workarounds

Credits

Solutions

Solutions

Tags

Sightings

Nomenclature