carrierwave 1.3.0

4 security vulnerabilities found in version 1.3.0

CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

high severity CVE-2024-29034
high severity CVE-2024-29034
Patched versions: ~> 2.2.6, >= 3.0.7

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @declared_content_type ||
      if @file.respond_to?(:content_type) && @file.content_type
        Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
      end
  end
end
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @file.respond_to?(:content_type) && @file.content_type
      Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

high severity CVE-2023-49090
high severity CVE-2023-49090
Patched versions: ~> 2.2.5, >= 3.0.5

###Impact CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match. If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist, forward match(\\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

Code Injection vulnerability in CarrierWave::RMagick

high severity CVE-2021-21305
high severity CVE-2021-21305
Patched versions: ~> 1.3.2, >= 2.1.1

Impact

CarrierWave::RMagick has a Code Injection vulnerability. Its #manipulate! method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).

(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)

Proof of Concept

class MyUploader < CarrierWave::Uploader::Base
  include CarrierWave::RMagick
end

MyUploader.new.manipulate!({ read: { density: "1 }; p 'Hacked'; {" }}) # => shows "Hacked"

Patches

Upgrade to 2.1.1 or 1.3.2.

Workarounds

Stop supplying untrusted input to #manipulate!'s mutation option.

Server-side request forgery in CarrierWave

medium severity CVE-2021-21288
medium severity CVE-2021-21288
Patched versions: ~> 1.3.2, >= 2.1.1

Impact

[CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.

Patches

Upgrade to 2.1.1 or 1.3.2.

Workarounds

Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access.

No officially reported memory leakage issues detected.


This gem version does not have any officially reported memory leaked issues.

No license issues detected.


This gem version has a license in the gemspec.

This gem version is available.


This gem version has not been yanked and is still available for usage.