Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5881 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5881-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     March 17, 2025                        https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : rails     CVE ID         : CVE-2023-28362 CVE-2023-38037 CVE-2024-26144 CVE-2024-28103                      CVE-2024-41128 CVE-2024-47887 CVE-2024-47888 CVE-2024-47889                      CVE-2024-54133

    Multiple security issues were discovered in the Rails web framework     which could result cross-site scripting, information disclosure, denial     of service or bypass of content security policies.

    For the stable distribution (bookworm), these problems have been fixed in     version 2:6.1.7.10+dfsg-1~deb12u1.

    We recommend that you upgrade your rails packages.

    For the detailed security status of rails please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/rails

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to     versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the     block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an     unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected     release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant     patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby     3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are     unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. (CVE-2024-47889)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7290-1 advisory.

    It was discovered that Rails did not correctly handle parsing block formats in email service layers. An     attacker could possibly use this issue to cause a denial of service. (CVE-2024-47889)

    It was discovered that Rails did not correctly handle parsing block quotes in rich text content. An     attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 22.04     LTS. (CVE-2024-47888)

    It was discovered that Rails did not correctly handle parsing HTTP token authentication headers. An     attacker could possibly use this issue to cause a denial of service. (CVE-2024-47887)

    It was discovered that Rails did not correctly handle parsing query parameters in web requests. An     attacker could possibly use this issue to cause a denial of service. (CVE-2024-41128)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has a package installed that is affected by a vulnerability as referenced in the SUSE- SU-2024:3878-1 advisory.

    - CVE-2024-47889: Fixed Possible ReDoS vulnerability in block_format in Action Mailer (bsc#1231723).

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of the actionmailer Ruby library installed on the remote host is 3.x prior to 6.1.7.9, 7.0.x prior to 7.0.8.5, 7.1.x prior to 7.1.4.1 or 7.2.x prior to 7.2.1.1. It is, therefore, affected by a denial of service (DoS) vulnerability. The vulnerability lies in the block_format helper of Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
232892	Debian dsa-5881 : rails - security update	Nessus	Debian Local Security Checks	high
232125	Linux Distros Unpatched Vulnerability : CVE-2024-47889	Nessus	Misc.	high
216763	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Rails vulnerabilities (USN-7290-1)	Nessus	Ubuntu Local Security Checks	high
210105	SUSE SLES15 Security Update : rubygem-actionmailer-5_1 (SUSE-SU-2024:3878-1)	Nessus	SuSE Local Security Checks	high
209307	actionmailer Ruby Library 3.x < 6.1.7.9 / 7.0.x < 7.0.8.5 / 7.1.x < 7.1.4.1 / 7.2.x < 7.2.1.1 DoS (CVE-2024-47889)	Nessus	Misc.	high

Detections

Analytics

CVE-2024-47889

high

Tenable Plugins

high

high

high

high

high