Carrierwave Project Carrierwave vulnerabilities

4 known vulnerabilities affecting carrierwave_project/carrierwave.

Total CVEs
4
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM3

Vulnerabilities

Page 1 of 1
CVE-2024-29034MEDIUMCVSS 6.1fixed in 2.2.6≥ 3.0.0, < 3.0.72024-03-24
CVE-2024-29034 [MEDIUM] CVE-2024-29034: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vul CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability CVE-2023-49090 wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allow
ghsanvdosv
CVE-2023-49090MEDIUMCVSS 6.1fixed in 2.2.5≥ 3.0.0, < 3.0.52023-11-29
CVE-2023-49090 [MEDIUM] CWE-79 CVE-2023-49090: CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. Carrier CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_typ
ghsanvdosv
CVE-2021-21305HIGHCVSS 8.8fixed in 1.3.2≥ 2.0.1, < 2.1.12021-02-08
CVE-2021-21305 [HIGH] CWE-74 CVE-2021-21305: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be exec
ghsanvdosv
CVE-2021-21288MEDIUMCVSS 4.3fixed in 1.3.2≥ 2.0.1, < 2.1.12021-02-08
CVE-2021-21288 [MEDIUM] CWE-918 CVE-2021-21288: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infra
ghsanvdosv