Vulnerability Details CVE-2023-49090
CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 34.7%
CVSS Severity
CVSS v3 Score 6.8
References
- https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5
- https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
- https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5
- https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
Products affected by CVE-2023-49090
-
cpe:2.3:a:carrierwave_project:carrierwave:0.1.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.10.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.11.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.11.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.11.2
-
cpe:2.3:a:carrierwave_project:carrierwave:0.2.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.2.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.2.3
-
cpe:2.3:a:carrierwave_project:carrierwave:0.2.4
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.2
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.3
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.4
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.5
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.5.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.3.5.2
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.10
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.2
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.3
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.4
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.5
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.6
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.7
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.8
-
cpe:2.3:a:carrierwave_project:carrierwave:0.4.9
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.2
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.3
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.4
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.5
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.6
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.7
-
cpe:2.3:a:carrierwave_project:carrierwave:0.5.8
-
cpe:2.3:a:carrierwave_project:carrierwave:0.6.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.6.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.6.2
-
cpe:2.3:a:carrierwave_project:carrierwave:0.7.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.7.1
-
cpe:2.3:a:carrierwave_project:carrierwave:0.8.0
-
cpe:2.3:a:carrierwave_project:carrierwave:0.9.0
-
cpe:2.3:a:carrierwave_project:carrierwave:1.0.0
-
cpe:2.3:a:carrierwave_project:carrierwave:1.1.0
-
cpe:2.3:a:carrierwave_project:carrierwave:1.2.0
-
cpe:2.3:a:carrierwave_project:carrierwave:1.2.1
-
cpe:2.3:a:carrierwave_project:carrierwave:1.2.2
-
cpe:2.3:a:carrierwave_project:carrierwave:1.2.3
-
cpe:2.3:a:carrierwave_project:carrierwave:1.3.0
-
cpe:2.3:a:carrierwave_project:carrierwave:1.3.1
-
cpe:2.3:a:carrierwave_project:carrierwave:1.3.2
-
cpe:2.3:a:carrierwave_project:carrierwave:1.3.4
-
cpe:2.3:a:carrierwave_project:carrierwave:2.0.0
-
cpe:2.3:a:carrierwave_project:carrierwave:2.0.1
-
cpe:2.3:a:carrierwave_project:carrierwave:2.0.2
-
cpe:2.3:a:carrierwave_project:carrierwave:2.1.0
-
cpe:2.3:a:carrierwave_project:carrierwave:2.1.1
-
cpe:2.3:a:carrierwave_project:carrierwave:3.0.0
-
cpe:2.3:a:carrierwave_project:carrierwave:3.0.1
-
cpe:2.3:a:carrierwave_project:carrierwave:3.0.2
-
cpe:2.3:a:carrierwave_project:carrierwave:3.0.4