6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
6.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.9%
The vulnerability CVE-2023-49090
wasn’t fully addressed.
This vulnerability is caused by the fact that when uploading to
object storage, including Amazon S3, it is possible to set a
Content-Type value that is interpreted by browsers to be different
from what’s allowed by content_type_allowlist
, by providing
multiple values separated by commas.
This bypassed value can be used to cause XSS.
Use the following monkey patch to let CarrierWave parse the
Content-type by using Marcel::MimeType.for
.
# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
def declared_content_type
@declared_content_type ||
if @file.respond_to?(:content_type) && @file.content_type
Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
end
end
end
# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
def existing_content_type
if @file.respond_to?(:content_type) && @file.content_type
Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
end
end
end
CPE | Name | Operator | Version |
---|---|---|---|
carrierwave | le | 2.2.5 | |
carrierwave | ge | 2.3.0 | |
carrierwave | lt | 3.0.7 |
6.8 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
6.5 Medium
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
20.9%