CVE-2021-21305
- Source
- https://cve.org/CVERecord?id=CVE-2021-21305
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21305.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-21305
- Aliases
- Downstream
- Related
- Published
- 2021-02-08T20:15:12.527Z
- Modified
- 2026-04-12T01:01:14.393857Z
- Severity
-
- 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- [none]
- Details
-
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
- References
-
- https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08
- https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08
- https://rubygems.org/gems/carrierwave
- https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4
Affected packages
Git / github.com/carrierwaveuploader/carrierwave
Affected ranges
- Type
- GIT
- Repo
- https://github.com/carrierwaveuploader/carrierwave
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedFixed
- Database specific
{ "source": [ "CPE_FIELD", "REFERENCES" ], "extracted_events": [ { "introduced": "0" }, { "fixed": "1.3.2" }, { "introduced": "2.0.1" }, { "fixed": "2.1.1" } ], "cpe": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*" }