CVE-2021-21288

Summary

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.

Affected Software

VendorProductVersion RangeStatus
carrierwaveuploadercarrierwave< 1.3.2affected
carrierwaveuploadercarrierwave>= 2.0.0, < 2.1.1affected

Weaknesses

  • CWE-918: CWE-918: Server-Side Request Forgery (SSRF)

ADP Enrichment

CVE Program Container

Additional References

References