Code Injection vulnerability in CarrierWave
CVE-2021-21305

7.4HIGH

Key Information:

Vendor

Carrierwaveuploader

Status
Carrierwave
Vendor
CVE Published:
8 February 2021

What is CVE-2021-21305?

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

Affected Version(s)

carrierwave < 1.3.2 < 1.3.2

carrierwave >= 2.0.0, < 2.1.1 < 2.0.0, 2.1.1

References

https://github.com/carrierwaveuploader/carrierwave/blob/m...
x_refsource_MISC
https://github.com/carrierwaveuploader/carrierwave/blob/m...
x_refsource_MISC
https://github.com/carrierwaveuploader/carrierwave/securi...
x_refsource_CONFIRM

EPSS Score

12% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.4
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.