logo

Database

Hidden fields manipulation In httparty

Description

Duplicate Advisory: httparty has multipart/form-data request tampering vulnerability

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-5pq7-52mg-hr42. This link is maintained to preserve external references.

Original Description

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version

Aliases

1. NVD-2024-220492. GHSA-5pq7-52mg-hr423. GCVE-GHSA-g47j-3m2m-74qv4. lists.debian.org5. lists.debian.org

References

1. https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr422. https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e3. https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L434. https://lists.fedoraproject.org/archives/list/[email protected]/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V5. https://lists.fedoraproject.org/archives/list/[email protected]/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA6. https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.