[DRE-maint] Bug#1068150: ruby-carrierwave: CVE-2023-49090
Salvatore Bonaccorso
carnil at debian.org
Sun Mar 31 21:10:26 BST 2024
Source: ruby-carrierwave
Version: 1.3.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby-carrierwave.
CVE-2023-49090[0]:
| CarrierWave is a solution for file uploads for Rails, Sinatra and
| other Ruby web frameworks. CarrierWave has a Content-Type allowlist
| bypass vulnerability, possibly leading to XSS. The validation in
| `allowlisted_content_type?` determines Content-Type permissions by
| performing a partial match. If the `content_type` argument of
| `allowlisted_content_type?` is passed a value crafted by the
| attacker, Content-Types not included in the `content_type_allowlist`
| will be allowed. This issue has been patched in versions 2.2.5 and
| 3.0.5.
While the upstream commit will not simply apply due to other
refactoring at least upstream claima as well that earlier verisons
thatn 2.2.5 are affected. Note that the issue needs to be fixed
completely to not open up another CVE. See the security-tracker notes
for the details.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-49090
https://www.cve.org/CVERecord?id=CVE-2023-49090
[1] https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list