ruby-carrierwave: CVE-2023-49090

Debian Bug report logs - #1068150
ruby-carrierwave: CVE-2023-49090

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: ruby-carrierwave: CVE-2023-49090

Date: Sun, 31 Mar 2024 22:10:26 +0200

Source: ruby-carrierwave
Version: 1.3.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ruby-carrierwave.

CVE-2023-49090[0]:
| CarrierWave is a solution for file uploads for Rails, Sinatra and
| other Ruby web frameworks. CarrierWave has a Content-Type allowlist
| bypass vulnerability, possibly leading to XSS. The validation in
| `allowlisted_content_type?` determines Content-Type permissions by
| performing a partial match. If the `content_type` argument of
| `allowlisted_content_type?` is passed a value crafted by the
| attacker, Content-Types not included in the `content_type_allowlist`
| will be allowed. This issue has been patched in versions 2.2.5 and
| 3.0.5.

While the upstream commit will not simply apply due to other
refactoring at least upstream claima as well that earlier verisons
thatn 2.2.5 are affected. Note that the issue needs to be fixed
completely to not open up another CVE. See the security-tracker notes
for the details.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-49090
    https://www.cve.org/CVERecord?id=CVE-2023-49090
[1] https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Send a report that this bug log contains spam.