httparty 0.2.0
httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
high severity CVE-2013-1801>= 0.10.0
httparty Gem for Ruby contains a flaw that is triggered when a type casting error occurs during the parsing of parameters. This may allow a context-dependent attacker to potentially execute arbitrary code.
httparty has multipart/form-data request tampering vulnerability
medium severity GHSA-5pq7-52mg-hr42>= 0.21.0
"multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.
httparty/lib/httparty/request
> body.rb
> def generate_multipart
By exploiting this problem, the following attacks are possible
- An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field.
- Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.
httparty has multipart/form-data request tampering vulnerability
medium severity CVE-2024-22049>= 0.21.0
HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0, due to lack of proper escaping of double quotes within the filename attribute of the Content-Disposition header. If the Content-Disposition header is set to "form-data" and contains the "filename" attribute, and the "filename" attribute contains a double quote followed by additional attributes, then those attributes will be parsed as Content-Disposition attributes and will override the Content-Disposition header's previous attributes.
Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Gem version without a license.
Unless a license that specifies otherwise is included, nobody can use, copy, distribute, or modify this library without being at risk of take-downs, shake-downs, or litigation.
This gem version is available.
This gem version has not been yanked and is still available for usage.