PT-2017-10690 · Ruby · Paperclip

Published

2017-11-13

Updated

2019-10-09

CVE-2017-0889

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Paperclip ruby gem versions 3.1.4 and later

Description The issue affects the Paperclip::UriAdapter class, allowing attackers to potentially access information about internal network resources through a Server-Side Request Forgery (SSRF) vulnerability. This could enable attackers to gather sensitive information.

Recommendations For versions 3.1.4 and later, consider restricting access to the Paperclip::UriAdapter class until a patch is available. As a temporary workaround, review and limit the use of internal network resources to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

CVE-2017-0889

GHSA-5JCF-C5RG-RMM8

Affected Products

Paperclip

PT-2017-10690 · Ruby · Paperclip

CVE-2017-0889

Weakness Enumeration

Related Identifiers

Affected Products

References · 8