GHSA-gxhx-g4fq-49hj

Suggest an improvement
Source
https://github.com/advisories/GHSA-gxhx-g4fq-49hj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-gxhx-g4fq-49hj/GHSA-gxhx-g4fq-49hj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-gxhx-g4fq-49hj
Aliases
Published
2023-11-29T21:33:27Z
Modified
2024-02-16T08:19:20.521037Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
Details

Impact

CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match. If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

Database specific
{
    "nvd_published_at": "2023-11-29T15:15:08Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-29T21:33:27Z"
}
References

Affected packages

RubyGems / carrierwave

Package

Name
carrierwave
Purl
pkg:gem/carrierwave

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.5

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4

RubyGems / carrierwave

Package

Name
carrierwave
Purl
pkg:gem/carrierwave

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.5

Affected versions

0.*

0.1
0.2.0
0.2.1
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.5.1
0.3.5.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.5.0.beta2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2

1.*

1.0.0.beta
1.0.0.rc
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4

2.*

2.0.0.rc
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4