SCA: security update for actionmailer (GHSA-h47h-mwp9-c6q6)

high Tenable Self-Hosted Container Security Plugin ID 415453

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to
versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the
block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an
unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected
release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant
patch immediately. As a workaround, users can avoid calling the `block_format` helper or upgrade to Ruby
3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are
unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. (CVE-2024-47889)

See Also

https://github.com/advisories/GHSA-h47h-mwp9-c6q6

Plugin Details

Severity: High

ID: 415453

Version: Revision 1.13

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/6/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.7

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2024-47889

CVSS v3

Risk Factor: Medium

Base Score: 5.9

Temporal Score: 5.2

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 6.6

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/15/2024

Vulnerability Publication Date: 10/15/2024

Reference Information

CVE: CVE-2024-47889

IAVB: 2024-B-0157

cwe: CWE-1333