Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTVqY2YtYzVyZy1ybW04

Critical EPSS: 0.00319% (0.54683 Percentile) EPSS:
Permalink JSON

paperclip Server-Side Request Forgery vulnerability

Affected Packages Affected Versions Fixed Versions
rubygems:paperclip
PURL: pkg:gem/paperclip
>= 3.1.4, < 5.2.0 5.2.0
414 Dependent packages
46,471 Dependent repositories
79,263,114 Downloads total

Affected Version Ranges

All affected versions

3.1.4, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.5.2, 3.5.3, 3.5.4, 4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0.0, 5.1.0

All unaffected versions

2.1.0, 2.1.2, 2.1.5, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 2.2.7, 2.2.8, 2.3.0, 2.3.1, 2.3.2, 2.3.3, 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.3.8, 2.3.9, 2.3.10, 2.3.11, 2.3.12, 2.3.15, 2.3.16, 2.4.0, 2.4.1, 2.4.2, 2.4.3, 2.4.4, 2.4.5, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.7.0, 2.7.1, 2.7.2, 2.7.4, 2.7.5, 2.8.0, 3.0.2, 3.0.3, 3.0.4, 3.1.0, 3.1.1, 3.1.2, 5.2.0, 5.2.1, 5.3.0, 6.0.0, 6.1.0

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.

References:

Identifiers

GHSA-5jcf-c5rg-rmm8

CVE-2017-0889

Risk

Severity

Critical

EPSS

EPSS Percentage: 0.00319

EPSS Percentile: 0.54683

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/thoughtbot/paperclip

Date and time

Published

almost 8 years ago

Updated

almost 3 years ago

API

JSON