CVE-2021-21305
Summary
| CVE | CVE-2021-21305 |
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2021-02-08 20:15:00 UTC |
| Updated | 2022-04-26 15:59:00 UTC |
| Description | CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1. |
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| carrierwave | RubyGems.org | your community gem host |
MISC |
rubygems.org |
Product, Third Party Advisory |
| carrierwave/CHANGELOG.md at master · carrierwaveuploader/carrierwave · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| Fix Code Injection vulnerability in CarrierWave::RMagick · carrierwaveuploader/carrierwave@387116f · GitHub |
MISC |
github.com |
Patch, Third Party Advisory |
| Code Injection vulnerability in CarrierWave::RMagick · Advisory · carrierwaveuploader/carrierwave · GitHub |
CONFIRM |
github.com |
Exploit, Third Party Advisory |
| carrierwave/CHANGELOG.md at master · carrierwaveuploader/carrierwave · GitHub |
MISC |
github.com |
Release Notes, Third Party Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 184893 Debian Security Update for ruby-carrierwave (CVE-2021-21305)
- 690156 Free Berkeley Software Distribution (FreeBSD) Security Update for carrierwave (76a07f31-a860-11eb-8ddb-001b217b3468)