Skip to content

CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

Moderate severity GitHub Reviewed Published Nov 29, 2023 in carrierwaveuploader/carrierwave • Updated Nov 30, 2023

Package

bundler carrierwave (RubyGems)

Affected versions

>= 3.0.0, < 3.0.5
< 2.2.5

Patched versions

3.0.5
2.2.5

Description

Impact

CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match.
If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

References

@mshibuya mshibuya published to carrierwaveuploader/carrierwave Nov 29, 2023
Published by the National Vulnerability Database Nov 29, 2023
Published to the GitHub Advisory Database Nov 29, 2023
Reviewed Nov 29, 2023
Last updated Nov 30, 2023

Severity

Moderate
6.8
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2023-49090

GHSA ID

GHSA-gxhx-g4fq-49hj

Source code

Credits

Checking history
See something to contribute? Suggest improvements for this vulnerability.