CVE-2021-21288

Published February 8th, 2021

View on NVD ↗

CVSS v3

4.3

MEDIUM

CVSS v2

MEDIUM

Affected

PROJECTS

Description

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.

carrierwave

Upload files in your Ruby applications, map them to a range of ORMs, store them on different backends.

RubyGems

135M

carrierwaveuploader/carrierwave

Classier solution for file uploads for Rails, Sinatra and other Ruby web frameworks

GitHub

8.79K