Vulnerability-Lookup

CVE-2021-21305 (GCVE-0-2021-21305)

Vulnerability from cvelistv5 – Published: 2021-02-08 19:20 – Updated: 2024-08-03 18:09

Title

Code Injection vulnerability in CarrierWave

Summary

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

Severity

7.4 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Assigner

GitHub_M

References

5 references

URL	Tags
https://github.com/carrierwaveuploader/carrierwav…	x_refsource_MISC
https://github.com/carrierwaveuploader/carrierwav…	x_refsource_MISC
https://github.com/carrierwaveuploader/carrierwav…	x_refsource_CONFIRM
https://rubygems.org/gems/carrierwave	x_refsource_MISC
https://github.com/carrierwaveuploader/carrierwav…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
carrierwaveuploader	carrierwave	Affected: < 1.3.2 Affected: >= 2.0.0, < 2.1.1

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T18:09:15.001Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://rubygems.org/gems/carrierwave"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "carrierwave",
          "vendor": "carrierwaveuploader",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 1.3.2"
            },
            {
              "status": "affected",
              "version": "\u003e= 2.0.0, \u003c 2.1.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-02-08T19:20:14.000Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://rubygems.org/gems/carrierwave"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
        }
      ],
      "source": {
        "advisory": "GHSA-cf3w-g86h-35x4",
        "discovery": "UNKNOWN"
      },
      "title": "Code Injection vulnerability in CarrierWave",
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21305",
          "STATE": "PUBLIC",
          "TITLE": "Code Injection vulnerability in CarrierWave"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "carrierwave",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "\u003c 1.3.2"
                          },
                          {
                            "version_value": "\u003e= 2.0.0, \u003c 2.1.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "carrierwaveuploader"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1."
            }
          ]
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08",
              "refsource": "MISC",
              "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
            },
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08",
              "refsource": "MISC",
              "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
            },
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4",
              "refsource": "CONFIRM",
              "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
            },
            {
              "name": "https://rubygems.org/gems/carrierwave",
              "refsource": "MISC",
              "url": "https://rubygems.org/gems/carrierwave"
            },
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7",
              "refsource": "MISC",
              "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
            }
          ]
        },
        "source": {
          "advisory": "GHSA-cf3w-g86h-35x4",
          "discovery": "UNKNOWN"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2021-21305",
    "datePublished": "2021-02-08T19:20:14.000Z",
    "dateReserved": "2020-12-22T00:00:00.000Z",
    "dateUpdated": "2024-08-03T18:09:15.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2021-21305",
      "date": "2026-06-03",
      "epss": "0.0282",
      "percentile": "0.8642"
    },
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*\", \"versionEndExcluding\": \"1.3.2\", \"matchCriteriaId\": \"68FBD42F-C60B-4C66-B772-C35F4AED519C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*\", \"versionStartIncluding\": \"2.0.1\", \"versionEndExcluding\": \"2.1.1\", \"matchCriteriaId\": \"B9D2FEB0-C576-4E14-A2F6-7642E83CC6F1\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \\\"#manipulate!\\\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.\"}, {\"lang\": \"es\", \"value\": \"CarrierWave es un RubyGem de c\\u00f3digo abierto que proporciona una forma simple y flexible de cargar archivos desde aplicaciones de Ruby.\u0026#xa0;En CarrierWave versiones anteriores a 1.3.2 y 2.1.1, se presenta una vulnerabilidad de inyecci\\u00f3n de c\\u00f3digo.\u0026#xa0;El m\\u00e9todo \\\"#manipulate!\\\" eval\\u00faa inapropiadamente el contenido de la opci\\u00f3n de mutaci\\u00f3n option(:read/:write), lo que permite a atacantes crear una cadena que se pueda ejecutar como c\\u00f3digo de Ruby.\u0026#xa0;Si un desarrollador de aplicaciones proporciona entradas que no son de confianza para la opci\\u00f3n, conllevar\\u00e1 a una ejecuci\\u00f3n de c\\u00f3digo remota (RCE).\u0026#xa0;Esto se corrigi\\u00f3 en las versiones 1.3.2 y 2.1.1\"}]",
      "id": "CVE-2021-21305",
      "lastModified": "2024-11-21T05:47:59.093",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L\", \"baseScore\": 7.4, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 3.1, \"impactScore\": 3.7}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 8.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 2.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2021-02-08T20:15:12.527",
      "references": "[{\"url\": \"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://rubygems.org/gems/carrierwave\", \"source\": \"security-advisories@github.com\", \"tags\": [\"Product\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Release Notes\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Third Party Advisory\"]}, {\"url\": \"https://rubygems.org/gems/carrierwave\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Product\", \"Third Party Advisory\"]}]",
      "sourceIdentifier": "security-advisories@github.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"security-advisories@github.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-74\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-94\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2021-21305\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2021-02-08T20:15:12.527\",\"lastModified\":\"2024-11-21T05:47:59.093\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \\\"#manipulate!\\\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.\"},{\"lang\":\"es\",\"value\":\"CarrierWave es un RubyGem de c\u00f3digo abierto que proporciona una forma simple y flexible de cargar archivos desde aplicaciones de Ruby.\u0026#xa0;En CarrierWave versiones anteriores a 1.3.2 y 2.1.1, se presenta una vulnerabilidad de inyecci\u00f3n de c\u00f3digo.\u0026#xa0;El m\u00e9todo \\\"#manipulate!\\\" eval\u00faa inapropiadamente el contenido de la opci\u00f3n de mutaci\u00f3n option(:read/:write), lo que permite a atacantes crear una cadena que se pueda ejecutar como c\u00f3digo de Ruby.\u0026#xa0;Si un desarrollador de aplicaciones proporciona entradas que no son de confianza para la opci\u00f3n, conllevar\u00e1 a una ejecuci\u00f3n de c\u00f3digo remota (RCE).\u0026#xa0;Esto se corrigi\u00f3 en las versiones 1.3.2 y 2.1.1\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L\",\"baseScore\":7.4,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":3.1,\"impactScore\":3.7},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-74\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"1.3.2\",\"matchCriteriaId\":\"68FBD42F-C60B-4C66-B772-C35F4AED519C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"2.0.1\",\"versionEndExcluding\":\"2.1.1\",\"matchCriteriaId\":\"B9D2FEB0-C576-4E14-A2F6-7642E83CC6F1\"}]}]}],\"references\":[{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://rubygems.org/gems/carrierwave\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Release Notes\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://rubygems.org/gems/carrierwave\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Product\",\"Third Party Advisory\"]}]}}"
  }
}

FKIE_CVE-2021-21305

Vulnerability from fkie_nvd - Published: 2021-02-08 20:15 - Updated: 2024-11-21 05:47

Severity

7.4 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08	Release Notes, Third Party Advisory
security-advisories@github.com	https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7	Patch, Third Party Advisory
security-advisories@github.com	https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4	Exploit, Third Party Advisory
security-advisories@github.com	https://rubygems.org/gems/carrierwave	Product, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08	Release Notes, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://rubygems.org/gems/carrierwave	Product, Third Party Advisory

Impacted products

	Vendor	Product	Version
	carrierwave_project	carrierwave	*
	carrierwave_project	carrierwave	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "68FBD42F-C60B-4C66-B772-C35F4AED519C",
              "versionEndExcluding": "1.3.2",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "B9D2FEB0-C576-4E14-A2F6-7642E83CC6F1",
              "versionEndExcluding": "2.1.1",
              "versionStartIncluding": "2.0.1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1."
    },
    {
      "lang": "es",
      "value": "CarrierWave es un RubyGem de c\u00f3digo abierto que proporciona una forma simple y flexible de cargar archivos desde aplicaciones de Ruby.\u0026#xa0;En CarrierWave versiones anteriores a 1.3.2 y 2.1.1, se presenta una vulnerabilidad de inyecci\u00f3n de c\u00f3digo.\u0026#xa0;El m\u00e9todo \"#manipulate!\" eval\u00faa inapropiadamente el contenido de la opci\u00f3n de mutaci\u00f3n option(:read/:write), lo que permite a atacantes crear una cadena que se pueda ejecutar como c\u00f3digo de Ruby.\u0026#xa0;Si un desarrollador de aplicaciones proporciona entradas que no son de confianza para la opci\u00f3n, conllevar\u00e1 a una ejecuci\u00f3n de c\u00f3digo remota (RCE).\u0026#xa0;Esto se corrigi\u00f3 en las versiones 1.3.2 y 2.1.1"
    }
  ],
  "id": "CVE-2021-21305",
  "lastModified": "2024-11-21T05:47:59.093",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 3.7,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2021-02-08T20:15:12.527",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://rubygems.org/gems/carrierwave"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Product",
        "Third Party Advisory"
      ],
      "url": "https://rubygems.org/gems/carrierwave"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-74"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-CF3W-G86H-35X4

Vulnerability from github – Published: 2021-02-08 19:16 – Updated: 2022-04-27 19:58

Summary

Code Injection vulnerability in CarrierWave::RMagick

Details

Impact

CarrierWave::RMagick has a Code Injection vulnerability. Its #manipulate! method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).

(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)

Proof of Concept

class MyUploader < CarrierWave::Uploader::Base
  include CarrierWave::RMagick
end

MyUploader.new.manipulate!({ read: { density: "1 }; p 'Hacked'; {" }}) # => shows "Hacked"

Patches

Upgrade to 2.1.1 or 1.3.2.

Workarounds

Stop supplying untrusted input to #manipulate!'s mutation option.

References

Code Injection Software Attack

For more information

If you have any questions or comments about this advisory: * Open an issue in CarrierWave repo * Email me at mit.shibuya@gmail.com

Severity

7.4 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "carrierwave"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "carrierwave"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.0.0"
            },
            {
              "fixed": "2.1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21305"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-74",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-02-08T18:51:46Z",
    "nvd_published_at": "2021-02-08T20:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb) has a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation option(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.\nIf an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).\n\n(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)\n\n### Proof of Concept\n```ruby\nclass MyUploader \u003c CarrierWave::Uploader::Base\n  include CarrierWave::RMagick\nend\n\nMyUploader.new.manipulate!({ read: { density: \"1 }; p \u0027Hacked\u0027; {\" }}) # =\u003e shows \"Hacked\"\n```\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or [1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nStop supplying untrusted input to `#manipulate!`\u0027s mutation option.\n\n### References\n[Code Injection Software Attack](https://owasp.org/www-community/attacks/Code_Injection)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Open an issue in [CarrierWave repo](https://github.com/carrierwaveuploader/carrierwave)\n* Email me at [mit.shibuya@gmail.com](mailto:mit.shibuya@gmail.com)",
  "id": "GHSA-cf3w-g86h-35x4",
  "modified": "2022-04-27T19:58:17Z",
  "published": "2021-02-08T19:16:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21305"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/carrierwaveuploader/carrierwave"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2021-21305.yml"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/carrierwave"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Code Injection vulnerability in CarrierWave::RMagick"
}

GSD-2021-21305

Vulnerability from gsd - Updated: 2021-02-08 00:00

Details

### Impact [CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb) has a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation option(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). (But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to DoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension) ### Proof of Concept ```ruby class MyUploader < CarrierWave::Uploader::Base include CarrierWave::RMagick end MyUploader.new.manipulate!({ read: { density: "1 }; p 'Hacked'; {" }}) # => shows "Hacked" ``` ### Patches Upgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or [1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2). ### Workarounds Stop supplying untrusted input to `#manipulate!`'s mutation option.

Aliases

CVE-2021-21305

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2021-21305",
    "description": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.",
    "id": "GSD-2021-21305"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "affected": [
        {
          "package": {
            "ecosystem": "RubyGems",
            "name": "carrierwave",
            "purl": "pkg:gem/carrierwave"
          }
        }
      ],
      "aliases": [
        "CVE-2021-21305",
        "GHSA-cf3w-g86h-35x4"
      ],
      "details": "### Impact\n[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb)\nhas a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation\noption(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.\nIf an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).\n\n(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to\nDoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)\n\n### Proof of Concept\n```ruby\nclass MyUploader \u003c CarrierWave::Uploader::Base\n  include CarrierWave::RMagick\nend\n\nMyUploader.new.manipulate!({ read: { density: \"1 }; p \u0027Hacked\u0027; {\" }}) # =\u003e shows \"Hacked\"\n```\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or\n[1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nStop supplying untrusted input to `#manipulate!`\u0027s mutation option.",
      "id": "GSD-2021-21305",
      "modified": "2021-02-08T00:00:00.000Z",
      "published": "2021-02-08T00:00:00.000Z",
      "references": [
        {
          "type": "WEB",
          "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
        }
      ],
      "schema_version": "1.4.0",
      "severity": [
        {
          "score": 7.4,
          "type": "CVSS_V3"
        }
      ],
      "summary": "Code Injection vulnerability in CarrierWave::RMagick"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2021-21305",
        "STATE": "PUBLIC",
        "TITLE": "Code Injection vulnerability in CarrierWave"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "carrierwave",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.3.2"
                        },
                        {
                          "version_value": "\u003e= 2.0.0, \u003c 2.1.1"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "carrierwaveuploader"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "LOW",
          "baseScore": 7.4,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component (\u0027Injection\u0027)"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08",
            "refsource": "MISC",
            "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
          },
          {
            "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08",
            "refsource": "MISC",
            "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
          },
          {
            "name": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4",
            "refsource": "CONFIRM",
            "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
          },
          {
            "name": "https://rubygems.org/gems/carrierwave",
            "refsource": "MISC",
            "url": "https://rubygems.org/gems/carrierwave"
          },
          {
            "name": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7",
            "refsource": "MISC",
            "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-cf3w-g86h-35x4",
        "discovery": "UNKNOWN"
      }
    },
    "github.com/rubysec/ruby-advisory-db": {
      "cve": "2021-21305",
      "cvss_v3": 7.4,
      "date": "2021-02-08",
      "description": "### Impact\n[CarrierWave::RMagick](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/processing/rmagick.rb)\nhas a Code Injection vulnerability. Its `#manipulate!` method inappropriately evals the content of mutation\noption(`:read`/`:write`), allowing attackers to craft a string that can be executed as a Ruby code.\nIf an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE).\n\n(But supplying untrusted input to the option itself is dangerous even in absence of this vulnerability, since is prone to\nDoS vulnerability - attackers can try to consume massive amounts of memory by resizing to a very large dimension)\n\n### Proof of Concept\n```ruby\nclass MyUploader \u003c CarrierWave::Uploader::Base\n  include CarrierWave::RMagick\nend\n\nMyUploader.new.manipulate!({ read: { density: \"1 }; p \u0027Hacked\u0027; {\" }}) # =\u003e shows \"Hacked\"\n```\n\n### Patches\nUpgrade to [2.1.1](https://rubygems.org/gems/carrierwave/versions/2.1.1) or\n[1.3.2](https://rubygems.org/gems/carrierwave/versions/1.3.2).\n\n### Workarounds\nStop supplying untrusted input to `#manipulate!`\u0027s mutation option.",
      "gem": "carrierwave",
      "ghsa": "cf3w-g86h-35x4",
      "patched_versions": [
        "~\u003e 1.3.2",
        "\u003e= 2.1.1"
      ],
      "title": "Code Injection vulnerability in CarrierWave::RMagick",
      "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c1.3.2||\u003e=2.0.1 \u003c2.1.1",
          "affected_versions": "All versions before 1.3.2, all versions starting from 2.0.1 before 2.1.1",
          "cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "cwe_ids": [
            "CWE-1035",
            "CWE-937",
            "CWE-94"
          ],
          "date": "2022-04-26",
          "description": "In CarrierWave, there is a code injection vulnerability. Attackers can craft a string that can be executed as a Ruby code.",
          "fixed_versions": [
            "1.3.2",
            "2.1.1"
          ],
          "identifier": "CVE-2021-21305",
          "identifiers": [
            "CVE-2021-21305",
            "GHSA-cf3w-g86h-35x4"
          ],
          "not_impacted": "All versions starting from 1.3.2 before 2.0.1, all versions starting from 2.1.1",
          "package_slug": "gem/carrierwave",
          "pubdate": "2021-02-08",
          "solution": "Upgrade to versions 1.3.2, 2.1.1 or above.",
          "title": "Injection Vulnerability",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2021-21305"
          ],
          "uuid": "e38ba0ce-688e-4b1c-a939-d1081eeaaebe"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.3.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*",
                "cpe_name": [],
                "versionEndExcluding": "2.1.1",
                "versionStartIncluding": "2.0.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2021-21305"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-94"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08"
            },
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7"
            },
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4",
              "refsource": "CONFIRM",
              "tags": [
                "Exploit",
                "Third Party Advisory"
              ],
              "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4"
            },
            {
              "name": "https://rubygems.org/gems/carrierwave",
              "refsource": "MISC",
              "tags": [
                "Product",
                "Third Party Advisory"
              ],
              "url": "https://rubygems.org/gems/carrierwave"
            },
            {
              "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08",
              "refsource": "MISC",
              "tags": [
                "Release Notes",
                "Third Party Advisory"
              ],
              "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "exploitabilityScore": 2.8,
          "impactScore": 5.9
        }
      },
      "lastModifiedDate": "2022-04-26T15:59Z",
      "publishedDate": "2021-02-08T20:15Z"
    }
  }
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2021-21305 (GCVE-0-2021-21305)

FKIE_CVE-2021-21305

GHSA-CF3W-G86H-35X4

Impact

Proof of Concept

Patches

Workarounds

References

For more information

GSD-2021-21305

Tags

Sightings

Nomenclature