CVE-2021-21288

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-21288

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21288.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-21288

Aliases

GHSA-fwcm-636p-68r5

Related

UBUNTU-CVE-2021-21288

Published

2021-02-08T20:15:12Z

Modified

2024-09-18T03:12:46.799858Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.

References

Affected packages

Debian:12 / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/debian/ruby-carrierwave?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/debian/ruby-carrierwave?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/carrierwaveuploader/carrierwave

Affected ranges

Type: GIT
Repo: https://github.com/carrierwaveuploader/carrierwave
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

012702eb3ba1663452aa025831caa304d1a665c0

Affected versions

v0.*

v0.1.0

v0.10.0

v0.2.0

v0.2.1

v0.2.3

v0.2.4

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.5.0

v0.5.0.beta2

v0.5.1

v0.5.2

v0.5.3

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.8.0

v1.*

v1.0.0

v1.0.0.beta

v1.0.0.rc

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.1

v2.*

v2.0.0

v2.0.0.rc

v2.0.1

v2.0.2

v2.1.0