CVE-2021-21305

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2021-21305

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-21305.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-21305

Aliases

GHSA-cf3w-g86h-35x4

Related

UBUNTU-CVE-2021-21305

Published

2021-02-08T20:15:12Z

Modified

2024-09-18T03:12:47.149130Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

References

Affected packages

Debian:12 / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/debian/ruby-carrierwave?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/debian/ruby-carrierwave?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/carrierwaveuploader/carrierwave

Affected ranges

Type: GIT
Repo: https://github.com/carrierwaveuploader/carrierwave
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

387116f5c72efa42bc3938d946b4c8d2f22181b7

Affected versions

v0.*

v0.1.0

v0.10.0

v0.2.0

v0.2.1

v0.2.3

v0.2.4

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5

v0.4.0

v0.4.1

v0.4.2

v0.4.3

v0.4.4

v0.4.5

v0.5.0

v0.5.0.beta2

v0.5.1

v0.5.2

v0.5.3

v0.5.5

v0.5.6

v0.5.7

v0.5.8

v0.6.0

v0.6.1

v0.6.2

v0.7.0

v0.7.1

v0.8.0

v1.*

v1.0.0

v1.0.0.beta

v1.0.0.rc

v1.1.0

v1.2.0

v1.2.1

v1.2.2

v1.2.3

v1.3.0

v1.3.1

v2.*

v2.0.0

v2.0.0.rc

v2.0.1

v2.0.2

v2.1.0