cbcvebase.
CVE-2021-21288
published 2021-02-08

CVE-2021-21288: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and…

PriorityP422medium4.3CVSS 3.1
AVNACLPRLUINSUCLINAN
EPSS
1.17%
63.6th percentile
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.

Affected

7 ranges
VendorProductVersion rangeFixed in
carrierwave_projectcarrierwave< 1.3.21.3.2
carrierwave_projectcarrierwave>= 0 < 1.3.21.3.2
carrierwave_projectcarrierwave>= 2.0.0 < 2.1.12.1.1
carrierwave_projectcarrierwave>= 2.0.1 < 2.1.12.1.1
carrierwaveuploadercarrierwave< 1.3.21.3.2
carrierwaveuploadercarrierwave
debianruby-carrierwave< ruby-carrierwave 1.3.2-1 (bookworm)ruby-carrierwave 1.3.2-1 (bookworm)

CVSS provenance

nvdv3.14.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:P/I:N/A:N
osv4.3MEDIUM
vendor_debian4.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.