GHSA-vfmv-jfc5-pjjw
Suggest an improvement- Source
- https://github.com/advisories/GHSA-vfmv-jfc5-pjjw
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-vfmv-jfc5-pjjw/GHSA-vfmv-jfc5-pjjw.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-vfmv-jfc5-pjjw
- Aliases
- Published
- 2024-03-25T19:40:36Z
- Modified
- 2024-03-27T13:16:23.485442Z
- Severity
-
- 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
- Summary
- CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
- Details
-
Impact
The vulnerability CVE-2023-49090 wasn't fully addressed.
This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by
content_type_allowlist, by providing multiple values separated by commas.This bypassed value can be used to cause XSS.
Patches
Workarounds
Use the following monkey patch to let CarrierWave parse the Content-type by using
Marcel::MimeType.for.# For CarrierWave 3.x CarrierWave::SanitizedFile.class_eval do def declared_content_type @declared_content_type || if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end# For CarrierWave 2.x CarrierWave::SanitizedFile.class_eval do def existing_content_type if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end endReferences
- Database specific
{ "nvd_published_at": "2024-03-24T20:15:07Z", "cwe_ids": [ "CWE-436", "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2024-03-25T19:40:36Z" }- References
-
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
- https://nvd.nist.gov/vuln/detail/CVE-2024-29034
- https://github.com/carrierwaveuploader/carrierwave/commit/25b1c800d45ef8e78dc445ebe3bd8a6e3f0a3477
- https://github.com/carrierwaveuploader/carrierwave
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml
Affected packages
RubyGems / carrierwave
Package
- Name
- carrierwave
- Purl
- pkg:gem/carrierwave
RubyGems / carrierwave
Package
- Name
- carrierwave
- Purl
- pkg:gem/carrierwave
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.6
Affected versions
0.*
0.1
0.2.0
0.2.1
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.5.1
0.3.5.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.5.0.beta2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2
1.*
1.0.0.beta
1.0.0.rc
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
2.*
2.0.0.rc
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5