A-Zara-N

**Name of the Vulnerable Software and Affected Versions** CarrierWave versions prior to 2.2.6 CarrierWave versions prior to 3.0.7 **Description** The issue is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content type allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. **Recommendations** For CarrierWave versions prior to 2.2.6, upgrade to 2.2.6. For CarrierWave versions prior to 3.0.7, upgrade to 3.0.7. As a temporary workaround, consider using the provided monkey patch to let CarrierWave parse the Content-type by using `Marcel::MimeType.for`. For CarrierWave 3.x, use the following monkey patch: ```ruby CarrierWave::SanitizedFile.class eval do def declared content type @declared content type || if @file.respond to?(:content type) && @file.content type Marcel::MimeType.for(declared type: @file.content type.to s.chomp) end end end ``` For CarrierWave 2.x, use the following monkey patch: ```ruby CarrierWave::SanitizedFile.class eval do def existing content type if @file.respond to?(:content type) && @file.content type Marcel::MimeType.for(declared type: @file.content type.to s.chomp) end end end ```

**Name of the Vulnerable Software and Affected Versions** CarrierWave versions prior to 2.2.5 CarrierWave versions prior to 3.0.5 **Description** The issue is related to a Content-Type allowlist bypass vulnerability in CarrierWave, which could lead to XSS attacks. The `allowlisted content type?` function performs a partial match to determine Content-Type permissions, allowing an attacker to bypass the allowlist by crafting a specific `content type` argument. This could enable the attacker to upload files with Content-Types not included in the `content type allowlist`, potentially causing XSS when the uploaded file is opened. **Recommendations** For versions prior to 2.2.5, upgrade to version 2.2.5. For versions prior to 3.0.5, upgrade to version 3.0.5. As a temporary workaround, consider modifying the `allowlisted content type?` function to perform a forward match (`A`) of the Content-Type set in `content type allowlist`, preventing unintentional permission of unwanted Content-Types.