HIGH🇵🇱 Wersja polska

CVE-2021-21305

CVSS 7.4v3.1pub. 2021-02-08upd. 2024-11-21

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
  • Carrierwave Project Carrierwave

    APP
    Carrierwave Project
    < 1.3.22.0.1 – 2.1.1 (bez)
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-44587MEDIUM4.7ten sam produkt

CarrierWave is a framework to upload files from Ruby applications. In versions prior to 2.2.7 and 3.1.3, the c...

CVE-2024-29034MEDIUM6.8ten sam produkt

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. The vulnerability...

CVE-2023-49090MEDIUM6.8ten sam produkt

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a...

CVE-2021-21288MEDIUM4.3ten sam produkt

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby appli...