Search for packages
| purl | pkg:gem/carrierwave@1.3.2 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-hway-mr71-cqgj
Aliases: CVE-2023-49090 GHSA-gxhx-g4fq-49hj |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
|
VCID-phc1-hxmj-4qdw
Aliases: CVE-2024-29034 GHSA-vfmv-jfc5-pjjw |
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. |
Affected by 1 other vulnerability. Affected by 1 other vulnerability. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| VCID-8qcp-bmgq-wye6 | Code Injection vulnerability in CarrierWave::RMagick ### Impact [CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb) has a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation option(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). (But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension) ### Proof of Concept ```ruby class MyUploader < CarrierWave::Uploader::Base include CarrierWave::RMagick end MyUploader.new.manipulate!({ read: { density: "1 }; p 'Hacked'; {" }}) # => shows "Hacked" ``` ### Patches Upgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or [1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2). ### Workarounds Stop supplying untrusted input to `#manipulate!`'s mutation option. |
CVE-2021-21305
GHSA-cf3w-g86h-35x4 |
| VCID-gfzv-e2cs-c3dz | Server-side request forgery in CarrierWave ### Impact [CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. ### Patches Upgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or [1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2). ### Workarounds Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access. |
CVE-2021-21288
GHSA-fwcm-636p-68r5 |