CVE-2021-21305

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21305
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21305.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21305
Aliases
Downstream
Related
Published
2021-02-08T20:15:12Z
Modified
2025-09-19T12:26:23.856887Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

References

Affected packages

Git / github.com/carrierwaveuploader/carrierwave

Affected ranges

Type
GIT
Repo
https://github.com/carrierwaveuploader/carrierwave
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1.0
v0.10.0
v0.2.0
v0.2.1
v0.2.3
v0.2.4
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.0.beta2
v0.5.1
v0.5.2
v0.5.3
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.8.0

v1.*

v1.0.0
v1.0.0.beta
v1.0.0.rc
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1

v2.*

v2.0.0
v2.0.0.rc
v2.0.1
v2.0.2
v2.1.0