CVE-2021-21305

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

CVSS v3.0 8.8 HIGH
CVSS v2.0 7.5 HIGH

8.8^/10

CVSS v3.0 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.5^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08	Release Notes Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7	Patch Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4	Exploit Third Party Advisory
https://rubygems.org/gems/carrierwave	Product Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08	Release Notes Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:carrierwave_project:carrierwave::::::ruby::*
	cpe:2.3:a:carrierwave_project:carrierwave::::::ruby::*

Information

Published : 2021-02-08 12:15

Updated : 2022-04-26 08:59

NVD link : CVE-2021-21305

Mitre link : CVE-2021-21305

JSON object : View

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

Products Affected

carrierwave_project

carrierwave

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08", "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7", "name": "https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7", "tags": ["Patch", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4", "name": "https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4", "tags": ["Exploit", "Third Party Advisory"], "refsource": "CONFIRM"}, {"url": "https://rubygems.org/gems/carrierwave", "name": "https://rubygems.org/gems/carrierwave", "tags": ["Product", "Third Party Advisory"], "refsource": "MISC"}, {"url": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08", "name": "https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08", "tags": ["Release Notes", "Third Party Advisory"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The \"#manipulate!\" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-94"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2021-21305", "ASSIGNER": "security-advisories@github.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 6.4, "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}}, "publishedDate": "2021-02-08T20:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "1.3.2"}, {"cpe23Uri": "cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "2.1.1", "versionStartIncluding": "2.0.1"}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-04-26T15:59Z"}

8.8 /10