CVE-2023-49090
published 2023-11-29CVE-2023-49090: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability…
PriorityP429medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.61%
44.9th percentile
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| carrierwave_project | carrierwave | < 2.2.6 | 2.2.6 |
| carrierwave_project | carrierwave | < 2.2.5 | 2.2.5 |
| carrierwave_project | carrierwave | >= 0 < 2.2.5 | 2.2.5 |
| carrierwave_project | carrierwave | >= 0 < 2.2.6 | 2.2.6 |
| carrierwave_project | carrierwave | >= 3.0.0 < 3.0.7 | 3.0.7 |
| carrierwave_project | carrierwave | >= 3.0.0 < 3.0.5 | 3.0.5 |
| carrierwave_project | carrierwave | >= 3.0.0 < 3.0.5 | 3.0.5 |
| carrierwave_project | carrierwave | >= 3.0.0 < 3.0.7 | 3.0.7 |
| carrierwaveuploader | carrierwave | < 2.2.6 | 2.2.6 |
| carrierwaveuploader | carrierwave | — | — |
| debian | ruby-carrierwave | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
ghsa6.1MEDIUM
osv8.8HIGH
vendor_ubuntu7.4HIGH
vendor_debian6.8LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
CarrierWave vulnerabilities
vendor_ubuntu·2025-05-07·CVSS 7.4
CVE-2021-21305 [HIGH] CarrierWave vulnerabilities
Title: CarrierWave vulnerabilities
Summary: Several security issues were fixed in CarrierWave.
Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)
Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2024-29034: ruby-carrierwave - CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web...
vendor_debian·2024·CVSS 6.8
CVE-2024-29034 [MEDIUM] CVE-2024-29034: ruby-carrierwave - CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web...
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6.
Scope: local
bookworm: resolved
Debian
CVE-2023-49090: ruby-carrierwave - CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web...
vendor_debian·2023·CVSS 6.8
CVE-2023-49090 [MEDIUM] CVE-2023-49090: ruby-carrierwave - CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web...
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
Scope: local
bookworm: open
OSV
ruby-carrierwave vulnerabilities
osv·2025-05-07·CVSS 8.8
CVE-2021-21305 [HIGH] ruby-carrierwave vulnerabilities
ruby-carrierwave vulnerabilities
Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)
Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)
OSV
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
osv·2024-03-25·CVSS 6.1
CVE-2024-29034 [MEDIUM] CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
### Impact
The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed.
This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas.
This bypassed value can be used to cause XSS.
### Patches
Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).
### Workarounds
Use the following monkey patch to le
GHSA
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
ghsa·2024-03-25·CVSS 6.1
CVE-2024-29034 [MEDIUM] CWE-436 CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained
### Impact
The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed.
This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas.
This bypassed value can be used to cause XSS.
### Patches
Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).
### Workarounds
Use the following monkey patch to le
OSV
CVE-2024-29034: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks
osv·2024-03-24·CVSS 6.1
CVE-2024-29034 [MEDIUM] CVE-2024-29034: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. Upgrade to 3.0.7 or 2.2.6.
OSV
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
osv·2023-11-29
CVE-2023-49090 [MEDIUM] CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
### Impact
[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb) has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match.
If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed.
In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is
GHSA
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
ghsa·2023-11-29
CVE-2023-49090 [MEDIUM] CWE-79 CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS
### Impact
[CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb) has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match.
If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed.
In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is
OSV
CVE-2023-49090: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks
osv·2023-11-29·CVSS 6.1
CVE-2023-49090 [MEDIUM] CVE-2023-49090: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hjhttps://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
2023-11-29
Published