Fluid Attacks Database

Description

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	httparty	>=0 <0.21.0	0.21.0
debian 11	ruby-httparty	=0.18.1-2 \|\| >=0 <0.18.1-2+deb11u1	0.18.1-2+deb11u1
debian 12	ruby-httparty	>=0 <0.21.0-1	0.21.0-1
debian 13	ruby-httparty	>=0 <0.21.0-1	0.21.0-1
debian 14	ruby-httparty	>=0 <0.21.0-1	0.21.0-1

Aliases

1. CVE-2024-220492. NVD-2024-220493. OSV-2024-220494. OSV-DEBIAN-2024-220495. GHSA-5pq7-52mg-hr426. GCVE-2024-220497. SECURITY-TRACKER-CVE-2024-22049

References

1. https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr422. https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e3. https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L434. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/httparty/CVE-2024-22049.yml