CVE-2024-29034

描述

### Impact The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj) wasn't fully addressed. This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by `content_type_allowlist`, by providing multiple values separated by commas. This bypassed value can be used to cause XSS. ### Patches Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6). ### Workarounds Use the following monkey patch to let CarrierWave parse the Content-type by using `Marcel::MimeType.for`. ```ruby # For CarrierWave 3.x CarrierWave::SanitizedFile.class_eval do def declared_content_type @declared_content_type || if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end ``` ```ruby # For CarrierWave 2.x CarrierWave::SanitizedFile.class_eval do def existing_content_type if @file.respond_to?(:content_type) && @file.content_type Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp) end end end ``` ### References [OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)

受影響套件(1)

• RubyGems/carrierwave>= 3.0.0, < 3.0.7

CVSS 分數

參考連結(5)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-29034
• PATCHhttps://github.com/carrierwaveuploader/carrierwave
• WEBhttps://github.com/carrierwaveuploader/carrierwave/commit/25b1c800d45ef8e78dc445ebe3bd8a6e3f0a3477
• WEBhttps://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
• WEBhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2024-29034.yml