DEBIAN-CVE-2026-33173

See a problem?
Please try reporting it to the source first.

Source

https://security-tracker.debian.org/tracker/CVE-2026-33173

Import Source

https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33173.json

JSON Data

https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-33173

Upstream

CVE-2026-33173

Published

2026-03-24T00:16:28.457Z

Modified

2026-03-25T19:07:28.741271Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

Active Storage allows users to attach cloud and local files in Rails applications. Prior to versions 8.1.2.1, 8.0.4.1, and 7.2.3.1, DirectUploadsController accepts arbitrary metadata from the client and persists it on the blob. Because internal flags like identified and analyzed are stored in the same metadata hash, a direct-upload client can set these flags to skip MIME detection and analysis. This allows an attacker to upload arbitrary content while claiming a safe content_type, bypassing any validations that rely on Active Storage's automatic content type identification. Versions 8.1.2.1, 8.0.4.1, and 7.2.3.1 contain a patch.

References

https://security-tracker.debian.org/tracker/CVE-2026-33173

Affected packages

Debian:11 / rails

Package

Name: rails
Purl: pkg:deb/debian/rails?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:6.*

2:6.0.3.7+dfsg-2

2:6.0.3.7+dfsg-2+deb11u1

2:6.0.3.7+dfsg-2+deb11u2

2:6.0.3.7+dfsg-2+deb11u3

2:6.0.3.7+dfsg-2+deb11u4

2:6.0.3.7+dfsg-3

2:6.1.4+dfsg-1

2:6.1.4+dfsg-2

2:6.1.4+dfsg-3

2:6.1.4+dfsg-4

2:6.1.4.1+dfsg-1

2:6.1.4.1+dfsg-2

2:6.1.4.1+dfsg-3

2:6.1.4.1+dfsg-4

2:6.1.4.1+dfsg-5

2:6.1.4.1+dfsg-6

2:6.1.4.1+dfsg-7

2:6.1.4.1+dfsg-8

2:6.1.4.6+dfsg-1

2:6.1.4.6+dfsg-2

2:6.1.4.6+dfsg-3

2:6.1.4.7+dfsg-1

2:6.1.4.7+dfsg-2

2:6.1.6.1+dfsg-1

2:6.1.6.1+dfsg-2

2:6.1.6.1+dfsg-3

2:6.1.6.1+dfsg-4

2:6.1.7+dfsg-1

2:6.1.7+dfsg-2

2:6.1.7+dfsg-3~bpo11+1

2:6.1.7+dfsg-3~bpo11+2

2:6.1.7+dfsg-3

2:6.1.7.3+dfsg-1~bpo11+1

2:6.1.7.3+dfsg-1

2:6.1.7.3+dfsg-2~deb12u1

2:6.1.7.3+dfsg-2

2:6.1.7.3+dfsg-3

2:6.1.7.3+dfsg-4

2:6.1.7.3+dfsg-5

2:6.1.7.3+dfsg-6

2:6.1.7.3+dfsg-7~exp1

2:6.1.7.3+dfsg-7

2:6.1.7.3+dfsg-8

2:6.1.7.3+dfsg-9

2:6.1.7.3+dfsg-10

2:6.1.7.3+dfsg-11

2:6.1.7.3+dfsg-12

2:6.1.7.3+dfsg-13

2:6.1.7.10+dfsg-1~deb12u1

2:6.1.7.10+dfsg-1~deb12u2

2:7.*

2:7.2.2.1+dfsg-1~exp1

2:7.2.2.1+dfsg-1~exp2

2:7.2.2.1+dfsg-1~exp3

2:7.2.2.1+dfsg-1~exp4

2:7.2.2.1+dfsg-1~exp6

2:7.2.2.1+dfsg-1

2:7.2.2.1+dfsg-2

2:7.2.2.1+dfsg-3

2:7.2.2.1+dfsg-4

2:7.2.2.1+dfsg-5

2:7.2.2.1+dfsg-6

2:7.2.2.1+dfsg-7

2:7.2.2.2+dfsg-1

2:7.2.2.2+dfsg-2~deb13u1

2:7.2.2.2+dfsg-2

2:7.2.3+dfsg-1

2:7.2.3+dfsg-2

2:7.2.3+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33173.json"

Debian:12 / rails

Package

Name: rails
Purl: pkg:deb/debian/rails?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:6.*

2:6.1.7.3+dfsg-1

2:6.1.7.3+dfsg-2~deb12u1

2:6.1.7.3+dfsg-2

2:6.1.7.3+dfsg-3

2:6.1.7.3+dfsg-4

2:6.1.7.3+dfsg-5

2:6.1.7.3+dfsg-6

2:6.1.7.3+dfsg-7~exp1

2:6.1.7.3+dfsg-7

2:6.1.7.3+dfsg-8

2:6.1.7.3+dfsg-9

2:6.1.7.3+dfsg-10

2:6.1.7.3+dfsg-11

2:6.1.7.3+dfsg-12

2:6.1.7.3+dfsg-13

2:6.1.7.10+dfsg-1~deb12u1

2:6.1.7.10+dfsg-1~deb12u2

2:7.*

2:7.2.2.1+dfsg-1~exp1

2:7.2.2.1+dfsg-1~exp2

2:7.2.2.1+dfsg-1~exp3

2:7.2.2.1+dfsg-1~exp4

2:7.2.2.1+dfsg-1~exp6

2:7.2.2.1+dfsg-1

2:7.2.2.1+dfsg-2

2:7.2.2.1+dfsg-3

2:7.2.2.1+dfsg-4

2:7.2.2.1+dfsg-5

2:7.2.2.1+dfsg-6

2:7.2.2.1+dfsg-7

2:7.2.2.2+dfsg-1

2:7.2.2.2+dfsg-2~deb13u1

2:7.2.2.2+dfsg-2

2:7.2.3+dfsg-1

2:7.2.3+dfsg-2

2:7.2.3+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33173.json"

Debian:13 / rails

Package

Name: rails
Purl: pkg:deb/debian/rails?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:7.*

2:7.2.2.1+dfsg-7

2:7.2.2.2+dfsg-1

2:7.2.2.2+dfsg-2~deb13u1

2:7.2.2.2+dfsg-2

2:7.2.3+dfsg-1

2:7.2.3+dfsg-2

2:7.2.3+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33173.json"

Debian:14 / rails

Package

Name: rails
Purl: pkg:deb/debian/rails?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2:7.*

2:7.2.2.1+dfsg-7

2:7.2.2.2+dfsg-1

2:7.2.2.2+dfsg-2~deb13u1

2:7.2.2.2+dfsg-2

2:7.2.3+dfsg-1

2:7.2.3+dfsg-2

2:7.2.3+dfsg-3

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Database specific

source

"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-33173.json"