VYPR
Moderate severityNVD Advisory· Published Nov 29, 2023· Updated Oct 11, 2024

CarrierWave has a content-type allowlist bypass vulnerability, possibly leading to XSS

CVE-2023-49090

Description

CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match. If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
carrierwaveRubyGems
>= 3.0.0, < 3.0.53.0.5
carrierwaveRubyGems
< 2.2.52.2.5

Affected products

30

Patches

Vulnerability mechanics

References

9

News mentions

0

No linked articles in our index yet.