UBUNTU-CVE-2021-21305

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2021-21305

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2021/UBUNTU-CVE-2021-21305.json

JSON Data

https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2021-21305

Related

CVE-2021-21305

Published

2021-02-08T20:15:00Z

Modified

2024-10-15T14:08:00Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

References

Affected packages

Ubuntu:Pro:16.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=esm-apps/xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.0+gh-1

0.10.0+gh-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:Pro:18.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=esm-apps/bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

0.*

0.10.0+gh-4

1.*

1.1.0-3

1.2.2-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:20.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.1-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:22.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.10 / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=oracular

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-2

3.*

3.0.7-1

Ecosystem specific

{
    "ubuntu_priority": "medium"
}

Ubuntu:24.04:LTS / ruby-carrierwave

Package

Name: ruby-carrierwave
Purl: pkg:deb/ubuntu/ruby-carrierwave?arch=src?distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.3.2-2

Ecosystem specific

{
    "ubuntu_priority": "medium"
}