CVE-2021-21305

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions: CarrierWave versions prior to 1.3.2 CarrierWave versions prior to 2.1.1

Description: The issue concerns a code injection vulnerability in the #manipulate! method, which inappropriately evaluates the content of mutation options :read and :write, allowing attackers to craft a string that can be executed as Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution (RCE).

Recommendations: For versions prior to 1.3.2, upgrade to version 1.3.2. For versions prior to 2.1.1, upgrade to version 2.1.1. As a temporary workaround, consider stopping the supply of untrusted input to the #manipulate! method's mutation option.

Exploit

Fix

RCE

Code Injection

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-94CWE-74

Related Identifiers

CVE-2021-21305

GHSA-CF3W-G86H-35X4

USN-7497-1

Affected Products

Carrierwave

Linuxmint

Ubuntu

CVE-2021-21305

Weakness Enumeration

Related Identifiers

Affected Products

References · 19