Source: ruby-carrierwave
Version: 1.3.2-2
Severity: important
Tags: security upstream
X-Debbugs-Cc:
carnil@debian.org, Debian Security Team <
team@security.debian.org>
Hi,
The following vulnerability was published for ruby-carrierwave.
CVE-2023-49090[0]:
| CarrierWave is a solution for file uploads for Rails, Sinatra and
| other Ruby web frameworks. CarrierWave has a Content-Type allowlist
| bypass vulnerability, possibly leading to XSS. The validation in
| `allowlisted_content_type?` determines Content-Type permissions by
| performing a partial match. If the `content_type` argument of
| `allowlisted_content_type?` is passed a value crafted by the
| attacker, Content-Types not included in the `content_type_allowlist`
| will be allowed. This issue has been patched in versions 2.2.5 and
| 3.0.5.
While the upstream commit will not simply apply due to other
refactoring at least upstream claima as well that earlier verisons
thatn 2.2.5 are affected. Note that the issue needs to be fixed
completely to not open up another CVE. See the security-tracker notes
for the details.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2023-49090
https://www.cve.org/CVERecord?id=CVE-2023-49090
[1]
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)