UBUNTU-CVE-2021-21288

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-21288

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21288.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2021-21288

Related

CVE-2021-21288

Published

2021-02-08T20:15:00Z

Modified

2024-10-15T14:08:00Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

[none]

Details

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.

References

Affected packages

Ubuntu:Pro:16.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.0+gh-1

0.10.0+gh-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.0+gh-4

1.*

1.1.0-3

1.2.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.1-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-2

3.*

3.0.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}