RubyGems package
paperclip
pkg:gem/paperclip
Vulnerabilities (2)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-0889 | Cri | 9.8 | >= 3.1.4, < 5.2.0 | 5.2.0 | Nov 13, 2017 | Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources. | |
| CVE-2015-2963 | — | < 4.2.2 | 4.2.2 | Jul 10, 2015 | The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg. |
- affected >= 3.1.4, < 5.2.0fixed 5.2.0
Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.
- CVE-2015-2963Jul 10, 2015affected < 4.2.2fixed 4.2.2
The thoughtbot paperclip gem before 4.2.2 for Ruby does not consider the content-type value during media-type validation, which allows remote attackers to upload HTML documents and conduct cross-site scripting (XSS) attacks via a spoofed value, as demonstrated by image/jpeg.