GHSA-fwcm-636p-68r5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-fwcm-636p-68r5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-fwcm-636p-68r5/GHSA-fwcm-636p-68r5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-fwcm-636p-68r5
- Aliases
- Published
- 2021-02-08T19:16:26Z
- Modified
- 2024-02-20T05:33:40.794629Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Server-side request forgery in CarrierWave
- Details
-
Impact
CarrierWave download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.
Patches
Workarounds
Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access.
References
Server-Side Request Forgery Prevention Cheat Sheet
For more information
If you have any questions or comments about this advisory: * Open an issue in CarrierWave repo * Email me at mit.shibuya@gmail.com
- Database specific
{ "nvd_published_at": "2021-02-08T20:15:00Z", "cwe_ids": [ "CWE-918" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-02-08T18:51:29Z" }- References
-
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
- https://nvd.nist.gov/vuln/detail/CVE-2021-21288
- https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0
- https://github.com/carrierwaveuploader/carrierwave
- https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08
- https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2021-21288.yml
- https://rubygems.org/gems/carrierwave
Affected packages
RubyGems / carrierwave
Package
- Name
- carrierwave
- Purl
- pkg:gem/carrierwave
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.3.2
Affected versions
0.*
0.1
0.2.0
0.2.1
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.5.1
0.3.5.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.5.0.beta2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2
1.*
1.0.0.beta
1.0.0.rc
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
RubyGems / carrierwave
Package
- Name
- carrierwave
- Purl
- pkg:gem/carrierwave