CVE-2021-21288 – carrierwave

Package

Manager: gem
Name: carrierwave
Vulnerable Version: >=0 <1.3.2 || >=2.0.0 <2.1.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.002 pctl0.42288

Details

Server-side request forgery in CarrierWave ### Impact [CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location) has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. ### Patches Upgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or [1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2). ### Workarounds Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access. ### References [Server-Side Request Forgery Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Server_Side_Request_Forgery_Prevention_Cheat_Sheet.html) ### For more information If you have any questions or comments about this advisory: * Open an issue in [CarrierWave repo](https://github.com/carrierwaveuploader/carrierwave) * Email me at [mit.shibuya@gmail.com](mailto:mit.shibuya@gmail.com)

Metadata

Created: 2021-02-08T19:16:26Z
Modified: 2023-05-16T15:41:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-fwcm-636p-68r5/GHSA-fwcm-636p-68r5.json
CWE IDs: ["CWE-918"]
Alternative ID: GHSA-fwcm-636p-68r5
Finding: F100
Auto approve: 1