Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ3Y20tNjM2cC02OHI1
Server-side request forgery in CarrierWave
Impact
CarrierWave download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.
Patches
Workarounds
Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access.
References
Server-Side Request Forgery Prevention Cheat Sheet
For more information
If you have any questions or comments about this advisory:
- Open an issue in CarrierWave repo
- Email me at [email protected]
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWZ3Y20tNjM2cC02OHI1
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 4 years ago
Updated: over 1 year ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00077
EPSS Percentile: 0.35523
Identifiers: GHSA-fwcm-636p-68r5, CVE-2021-21288
References:
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
- https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0
- https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08
- https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08
- https://rubygems.org/gems/carrierwave/
- https://nvd.nist.gov/vuln/detail/CVE-2021-21288
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2021-21288.yml
- https://github.com/advisories/GHSA-fwcm-636p-68r5
Blast Radius: 20.7
Affected Packages
rubygems:carrierwave
Dependent packages: 452Dependent repositories: 66,428
Downloads: 109,513,509 total
Affected Version Ranges: >= 2.0.0, < 2.1.1, < 1.3.2
Fixed in: 2.1.1, 1.3.2
All affected versions: 0.2.0, 0.2.1, 0.2.3, 0.2.4, 0.3.0, 0.3.1, 0.3.2, 0.3.3, 0.3.4, 0.3.5, 0.4.0, 0.4.1, 0.4.2, 0.4.3, 0.4.4, 0.4.5, 0.4.6, 0.4.7, 0.4.8, 0.4.9, 0.4.10, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.5.4, 0.5.5, 0.5.6, 0.5.7, 0.5.8, 0.6.0, 0.6.1, 0.6.2, 0.7.0, 0.7.1, 0.8.0, 0.9.0, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 1.0.0, 1.1.0, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 2.0.0, 2.0.1, 2.0.2, 2.1.0
All unaffected versions: 1.3.2, 1.3.3, 1.3.4, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.4, 2.2.5, 2.2.6, 3.0.0, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.1.0, 3.1.1