CVE-2021-21305

Source
https://nvd.nist.gov/vuln/detail/CVE-2021-21305
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-21305.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2021-21305
Aliases
Related
Published
2021-02-08T20:15:12Z
Modified
2024-10-12T06:46:26.161045Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

References

Affected packages

Debian:12 / ruby-carrierwave

Package

Name
ruby-carrierwave
Purl
pkg:deb/debian/ruby-carrierwave?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-carrierwave

Package

Name
ruby-carrierwave
Purl
pkg:deb/debian/ruby-carrierwave?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.2-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/carrierwaveuploader/carrierwave

Affected ranges

Type
GIT
Repo
https://github.com/carrierwaveuploader/carrierwave
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed

Affected versions

v0.*

v0.1.0
v0.10.0
v0.2.0
v0.2.1
v0.2.3
v0.2.4
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4.0
v0.4.1
v0.4.2
v0.4.3
v0.4.4
v0.4.5
v0.5.0
v0.5.0.beta2
v0.5.1
v0.5.2
v0.5.3
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.6.0
v0.6.1
v0.6.2
v0.7.0
v0.7.1
v0.8.0

v1.*

v1.0.0
v1.0.0.beta
v1.0.0.rc
v1.1.0
v1.2.0
v1.2.1
v1.2.2
v1.2.3
v1.3.0
v1.3.1

v2.*

v2.0.0
v2.0.0.rc
v2.0.1
v2.0.2
v2.1.0