CVE-2021-21305

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

CVSS v3 7.4 HIGH
CVSS v2.0 7.5 HIGH

7.4^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.1 / Impact : 3.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope CHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08	Release Notes Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08	Release Notes Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7	Patch Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4	Exploit Third Party Advisory
https://rubygems.org/gems/carrierwave	Product Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08	Release Notes Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08	Release Notes Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7	Patch Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4	Exploit Third Party Advisory
https://rubygems.org/gems/carrierwave	Product Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:carrierwave_project:carrierwave::::::ruby::*
	cpe:2.3:a:carrierwave_project:carrierwave::::::ruby::*

History

21 Nov 2024, 05:47

Type	Values Removed	Values Added
CVSS	v2 : ~~7.5~~ v3 : ~~8.8~~	v2 : 7.5 v3 : 7.4
References	~~() https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08 - Release Notes, Third Party Advisory~~	() https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08 - Release Notes, Third Party Advisory
References	~~() https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08 - Release Notes, Third Party Advisory~~	() https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08 - Release Notes, Third Party Advisory
References	~~() https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 - Patch, Third Party Advisory~~	() https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 - Patch, Third Party Advisory
References	~~() https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 - Exploit, Third Party Advisory~~	() https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 - Exploit, Third Party Advisory
References	~~() https://rubygems.org/gems/carrierwave - Product, Third Party Advisory~~	() https://rubygems.org/gems/carrierwave - Product, Third Party Advisory

Information

Published : 2021-02-08 20:15

Updated : 2024-11-21 05:47

NVD link : CVE-2021-21305

Mitre link : CVE-2021-21305

CVE.ORG link : CVE-2021-21305

JSON object : View

Products Affected

carrierwave_project

carrierwave

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

7.4 /10