logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2024-29034 carrierwave

Package

Manager: gem
Name: carrierwave
Vulnerable Version: >=3.0.0 <3.0.7 || >=0 <2.2.6

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00044 pctl0.1283

Details

CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained ### Impact The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. ### Patches Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6). ### Workarounds Use the following monkey patch to let CarrierWave parse the Content-type by using `Marcel::MimeType.for`. ```ruby # For CarrierWave 3.x CarrierWave::SanitizedFile.class_eval do def declared_content_type @declared_content_type || if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end ``` ```ruby # For CarrierWave 2.x CarrierWave::SanitizedFile.class_eval do def existing_content_type if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end ``` ### References [OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)

Metadata

Created: 2024-03-25T19:40:36Z
Modified: 2024-03-27T13:00:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-vfmv-jfc5-pjjw/GHSA-vfmv-jfc5-pjjw.json
CWE IDs: ["CWE-436", "CWE-79"]
Alternative ID: GHSA-vfmv-jfc5-pjjw
Finding: F425
Auto approve: 1