httparty 0.7.2
httparty Gem for Ruby Type Casting Parameter Parsing Remote Code Execution
high severity CVE-2013-1801>= 0.10.0
httparty Gem for Ruby contains a flaw that is triggered when a type casting error occurs during the parsing of parameters. This may allow a context-dependent attacker to potentially execute arbitrary code.
httparty has multipart/form-data request tampering vulnerability
medium severity GHSA-5pq7-52mg-hr42>= 0.21.0
"multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.
httparty/lib/httparty/request
> body.rb
> def generate_multipart
By exploiting this problem, the following attacks are possible
- An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field.
- Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.
httparty has multipart/form-data request tampering vulnerability
medium severity CVE-2024-22049>= 0.21.0
HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0, due to lack of proper escaping of double quotes within the filename attribute of the Content-Disposition header. If the Content-Disposition header is set to "form-data" and contains the "filename" attribute, and the "filename" attribute contains a double quote followed by additional attributes, then those attributes will be parsed as Content-Disposition attributes and will override the Content-Disposition header's previous attributes.
Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
Author did not declare license for this gem in the gemspec.
This gem version has a MIT license in the source code, however it was not declared in the gemspec file.
This gem version is available.
This gem version has not been yanked and is still available for usage.