carrierwave 3.0.0
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
high severity CVE-2024-29034~> 2.2.6
, >= 3.0.7
Impact
The vulnerability CVE-2023-49090 wasn't fully addressed.
This vulnerability is caused by the fact that when uploading to
object storage, including Amazon S3, it is possible to set a
Content-Type value that is interpreted by browsers to be different
from what's allowed by content_type_allowlist
, by providing
multiple values separated by commas.
This bypassed value can be used to cause XSS.
Patches
Workarounds
Use the following monkey patch to let CarrierWave parse the
Content-type by using Marcel::MimeType.for
.
# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
def declared_content_type
@declared_content_type ||
if @file.respond_to?(:content_type) && @file.content_type
Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
end
end
end
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
def existing_content_type
if @file.respond_to?(:content_type) && @file.content_type
Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
end
end
end
References
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
high severity CVE-2023-49090~> 2.2.5
, >= 3.0.5
###Impact CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in allowlisted_content_type?
determines Content-Type
permissions by performing a partial match.
If the content_type
argument of allowlisted_content_type?
is passed
a value crafted by the attacker, Content-Types not included in the
content_type_allowlist
will be allowed.
In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.
Patches
Workarounds
When validating with allowlisted_content_type?
in
CarrierWave::Uploader::ContentTypeAllowlist,
forward match(\\A
) the Content-Type set in content_type_allowlist
,
preventing unintentional permission of text/html;image/png
when
you want to allow only image/png
in content_type_allowlist
.
References
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.