GHSA-GXHX-G4FQ-49HJ

Vulnerability from github – Published: 2023-11-29 21:33 – Updated: 2023-11-29 21:33
VLAI?
Summary
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
Details

Impact

CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match. If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

Severity ?
6.8 (Medium)
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "carrierwave"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.0.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "carrierwave"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-49090"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-11-29T21:33:27Z",
    "nvd_published_at": "2023-11-29T15:15:08Z",
    "severity": "MODERATE"
  },
  "details": "### Impact\n[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb) has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. \n\nThe validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match.\nIf the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed.\n\nIn addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user\u0027s browser when the uploaded file is opened.\n\n### Patches\nUpgrade to [3.0.5](https://rubygems.org/gems/carrierwave/versions/3.0.5) or [2.2.5](https://rubygems.org/gems/carrierwave/versions/2.2.5).\n\n### Workarounds\nWhen validating with `allowlisted_content_type?` in [CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb) , forward match(`\\A`) the Content-Type set in `content_type_allowlist`, preventing unintentional permission of `text/html;image/png` when you want to allow only `image/png` in `content_type_allowlist`.\n\n### References\n[OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)\n",
  "id": "GHSA-gxhx-g4fq-49hj",
  "modified": "2023-11-29T21:33:27Z",
  "published": "2023-11-29T21:33:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-49090"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/carrierwaveuploader/carrierwave"
    },
    {
      "type": "WEB",
      "url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2023-49090.yml"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/carrierwave/versions/2.2.5"
    },
    {
      "type": "WEB",
      "url": "https://rubygems.org/gems/carrierwave/versions/3.0.5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.