Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-vfmv-jfc5-pjjw

Опубликовано: 25 мар. 2024
Источник: github
Github: Прошло ревью
CVSS3: 6.8

Описание

CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x CarrierWave::SanitizedFile.class_eval do def declared_content_type @declared_content_type || if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end
# For CarrierWave 2.x CarrierWave::SanitizedFile.class_eval do def existing_content_type if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end

References

OWASP - File Upload Cheat Sheet

Ссылки

Пакеты

Наименование

carrierwave

rubygems
Затронутые версииВерсия исправления

>= 3.0.0, < 3.0.7

3.0.7

Наименование

carrierwave

rubygems
Затронутые версииВерсия исправления

< 2.2.6

2.2.6

EPSS

Процентиль: 23%
0.00075
Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2024-29034

Дефекты

CWE-436
CWE-79

Связанные уязвимости

ubuntu логотип

CVE-2024-29034

CVSS3: 6.8
ubuntu
почти 2 года назад

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6.

nvd логотип

CVE-2024-29034

CVSS3: 6.8
nvd
почти 2 года назад

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6.

debian логотип

CVE-2024-29034

CVSS3: 6.8
debian
почти 2 года назад

CarrierWave is a solution for file uploads for Rails, Sinatra and othe ...

EPSS

Процентиль: 23%
0.00075
Низкий

6.8 Medium

CVSS3

CVE ID

CVE-2024-29034

Дефекты

CWE-436
CWE-79