GHSA-vfmv-jfc5-pjjw

Suggest an improvement
Source
https://github.com/advisories/GHSA-vfmv-jfc5-pjjw
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-vfmv-jfc5-pjjw/GHSA-vfmv-jfc5-pjjw.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-vfmv-jfc5-pjjw
Aliases
Published
2024-03-25T19:40:36Z
Modified
2024-03-27T13:16:16.124407Z
Severity
  • 6.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N CVSS Calculator
Summary
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
Details

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @declared_content_type ||
      if @file.respond_to?(:content_type) && @file.content_type
        Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
      end
  end
end
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @file.respond_to?(:content_type) && @file.content_type
      Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

Database specific
{
    "nvd_published_at": "2024-03-24T20:15:07Z",
    "cwe_ids": [
        "CWE-436",
        "CWE-79"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:40:36Z"
}
References

Affected packages

RubyGems / carrierwave

Package

Name
carrierwave
Purl
pkg:gem/carrierwave

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0
Fixed
3.0.7

Affected versions

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6

RubyGems / carrierwave

Package

Name
carrierwave
Purl
pkg:gem/carrierwave

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.6

Affected versions

0.*

0.1
0.2.0
0.2.1
0.2.3
0.2.4
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.5.1
0.3.5.2
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.5.0.beta2
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.8.0
0.9.0
0.10.0
0.11.0
0.11.1
0.11.2

1.*

1.0.0.beta
1.0.0.rc
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4

2.*

2.0.0.rc
2.0.0
2.0.1
2.0.2
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.2.3
2.2.4
2.2.5