PT-2024-22687 · Amazon · Amazon S3

A-Zara-N

Published

2024-03-24

Updated

2025-11-07

CVE-2024-29034

CVSS v3.1

6.8

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions CarrierWave versions prior to 2.2.6 CarrierWave versions prior to 3.0.7

Description The issue is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content type allowlist, by providing multiple values separated by commas. This bypassed value can be used to cause XSS.

Recommendations For CarrierWave versions prior to 2.2.6, upgrade to 2.2.6. For CarrierWave versions prior to 3.0.7, upgrade to 3.0.7. As a temporary workaround, consider using the provided monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for. For CarrierWave 3.x, use the following monkey patch:

ruby

CarrierWave::SanitizedFile.class eval do
 def declared content type
  @declared content type ||
   if @file.respond to?(:content type) && @file.content type
    Marcel::MimeType.for(declared type: @file.content type.to s.chomp)
   end
 end
end

For CarrierWave 2.x, use the following monkey patch:

ruby

CarrierWave::SanitizedFile.class eval do
 def existing content type
  if @file.respond to?(:content type) && @file.content type
   Marcel::MimeType.for(declared type: @file.content type.to s.chomp)
  end
 end
end

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79CWE-436

Related Identifiers

CVE-2024-29034

GHSA-VFMV-JFC5-PJJW

Affected Products

Amazon S3

PT-2024-22687 · Amazon · Amazon S3

CVE-2024-29034

Weakness Enumeration

Related Identifiers

Affected Products

References · 18