GHSA-fwcm-636p-68r5

Suggest an improvement
Source
https://github.com/advisories/GHSA-fwcm-636p-68r5
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/02/GHSA-fwcm-636p-68r5/GHSA-fwcm-636p-68r5.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-fwcm-636p-68r5
Aliases
Published
2021-02-08T19:16:26Z
Modified
2024-02-20T05:42:33.836659Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Server-side request forgery in CarrierWave
Details

Impact

CarrierWave download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.

Patches

Upgrade to 2.1.1 or 1.3.2.

Workarounds

Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access.

References

Server-Side Request Forgery Prevention Cheat Sheet

For more information

If you have any questions or comments about this advisory: * Open an issue in CarrierWave repo * Email me at mit.shibuya@gmail.com

Database specific
{
    "nvd_published_at": "2021-02-08T20:15:00Z",
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-08T18:51:29Z"
}
References

Affected packages

RubyGems / carrierwave

Package

Name
carrierwave
Purl
pkg:gem/carrierwave

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.2

Affected versions

0.*

0.1
0.2.0
0.2.1
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.5.1
0.3.5.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.5.0.beta2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2

1.*

1.0.0.beta
1.0.0.rc
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1

RubyGems / carrierwave

Package

Name
carrierwave
Purl
pkg:gem/carrierwave

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.1.1

Affected versions

2.*

2.0.0
2.0.1
2.0.2
2.1.0