Source: ruby-carrierwave Version: 1.3.2-2 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby-carrierwave. CVE-2023-49090[0]: | CarrierWave is a solution for file uploads for Rails, Sinatra and | other Ruby web frameworks. CarrierWave has a Content-Type allowlist | bypass vulnerability, possibly leading to XSS. The validation in | `allowlisted_content_type?` determines Content-Type permissions by | performing a partial match. If the `content_type` argument of | `allowlisted_content_type?` is passed a value crafted by the | attacker, Content-Types not included in the `content_type_allowlist` | will be allowed. This issue has been patched in versions 2.2.5 and | 3.0.5. While the upstream commit will not simply apply due to other refactoring at least upstream claima as well that earlier verisons thatn 2.2.5 are affected. Note that the issue needs to be fixed completely to not open up another CVE. See the security-tracker notes for the details. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2023-49090 https://www.cve.org/CVERecord?id=CVE-2023-49090 [1] https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj Please adjust the affected versions in the BTS as needed. Regards, Salvatore