CVE-2021-21288

Name of the Vulnerable Software and Affected Versions: CarrierWave versions prior to 1.3.2 CarrierWave versions prior to 2.1.1

Description: The download feature in CarrierWave has a Server-Side Request Forgery (SSRF) vulnerability, allowing attacks to provide DNS entries or IP addresses intended for internal use and gather information about the Intranet infrastructure of the platform.

Recommendations: For versions prior to 1.3.2, upgrade to version 1.3.2. For versions prior to 2.1.1, upgrade to version 2.1.1. As a temporary workaround, consider using proper network segmentation and applying the principle of least privilege to outbound connections from application servers to reduce the severity of SSRF vulnerabilities. Ideally, the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access.