Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1neGh4LWc0ZnEtNDloas4AA3a3
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
Impact
CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match.
If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.
In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.
Patches
Workarounds
When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.
References
OWASP - File Upload Cheat Sheet
Permalink: https://github.com/advisories/GHSA-gxhx-g4fq-49hjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1neGh4LWc0ZnEtNDloas4AA3a3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 12 months ago
Updated: 12 months ago
CVSS Score: 6.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Identifiers: GHSA-gxhx-g4fq-49hj, CVE-2023-49090
References:
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
- https://nvd.nist.gov/vuln/detail/CVE-2023-49090
- https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5
- https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3
- https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb
- https://rubygems.org/gems/carrierwave/versions/2.2.5
- https://rubygems.org/gems/carrierwave/versions/3.0.5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2023-49090.yml
- https://github.com/advisories/GHSA-gxhx-g4fq-49hj
Blast Radius: 32.8
Affected Packages
rubygems:carrierwave
Dependent packages: 452Dependent repositories: 66,428
Downloads: 106,745,726 total
Affected Version Ranges: < 2.2.5, >= 3.0.0, < 3.0.5
Fixed in: 2.2.5, 3.0.5
All affected versions: 0.2.0, 0.2.1, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 2.0.0, 2.0.1, 2.0.2, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4
All unaffected versions: 2.2.5, 2.2.6, 3.0.5, 3.0.6, 3.0.7