VulnerableCode Package Details - pkg:gem/carrierwave@2.2.6

Search for packages

Vulnerability	Summary	Fixed by
VCID-phc1-hxmj-4qdw Aliases: CVE-2024-29034 GHSA-vfmv-jfc5-pjjw	CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.	3.0.7 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-phc1-hxmj-4qdw
Aliases:
CVE-2024-29034
GHSA-vfmv-jfc5-pjjw

CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.

3.0.7
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
VCID-phc1-hxmj-4qdw	CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.	CVE-2024-29034 GHSA-vfmv-jfc5-pjjw

Vulnerability

Summary

Aliases

VCID-phc1-hxmj-4qdw

CVE-2024-29034
GHSA-vfmv-jfc5-pjjw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-04T18:14:55.175504+00:00	Ruby Importer	Affected by	VCID-phc1-hxmj-4qdw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml	38.6.0
2026-06-04T18:14:55.054916+00:00	Ruby Importer	Fixing	VCID-phc1-hxmj-4qdw	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml	38.6.0
2026-06-04T16:49:19.137224+00:00	GithubOSV Importer	Fixing	VCID-phc1-hxmj-4qdw	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-vfmv-jfc5-pjjw/GHSA-vfmv-jfc5-pjjw.json	38.6.0
2026-06-02T04:47:26.309023+00:00	GitLab Importer	Fixing	VCID-phc1-hxmj-4qdw	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/carrierwave/CVE-2024-29034.yml	38.6.0