Vulnerability Description
Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Thoughtbot | Paperclip | >= 3.1.4, < 5.2.0 |
Related Weaknesses (CWE)
References
- https://github.com/thoughtbot/paperclip/pull/2435Issue TrackingPatchThird Party Advisory
- https://hackerone.com/reports/209430Permissions Required
- https://hackerone.com/reports/713Issue TrackingThird Party Advisory
- https://github.com/thoughtbot/paperclip/pull/2435Issue TrackingPatchThird Party Advisory
- https://hackerone.com/reports/209430Permissions Required
- https://hackerone.com/reports/713Issue TrackingThird Party Advisory
FAQ
What is CVE-2017-0889?
CVE-2017-0889 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about interna...
How severe is CVE-2017-0889?
CVE-2017-0889 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2017-0889?
Check the references section above for vendor advisories and patch information. Affected products include: Thoughtbot Paperclip.