<p>Upgrade <code>carrierwave</code> to version 2.1.1, 1.3.2 or higher.</p>

Server-Side Request Forgery (SSRF) Affecting carrierwave package, versions >=2.0.0.rc, <2.1.1 <1.3.2

Snyk CVSS

Attack Complexity Low

User Interaction Required

Threat Intelligence

EPSS 0.09% (40^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-CARRIERWAVE-1070797
published 9 Feb 2021
disclosed 9 Feb 2021
credit Chad Wilken, Lorenzo Stella

Report a new vulnerability Found a mistake?

Introduced: 9 Feb 2021

CVE-2021-21288 Open this link in a new tab CWE-918 Open this link in a new tab

How to fix?

Upgrade carrierwave to version 2.1.1, 1.3.2 or higher.

Overview

Affected versions of this package are vulnerable to Server-Side Request Forgery (SSRF) via the download feature. This allows attackers to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.

References

GitHub Commit