CVE-2021-21305

Published February 8th, 2021

View on NVD ↗

CVSS v3

7.4

HIGH

CVSS v2

7.5

HIGH

Affected

PROJECTS

Description

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

carrierwave

Upload files in your Ruby applications, map them to a range of ORMs, store them on different backends.

RubyGems

135M

carrierwaveuploader/carrierwave

Classier solution for file uploads for Rails, Sinatra and other Ruby web frameworks

GitHub

8.79K