CVE-2021-21305 — HIGH (7.4)

Q: How severe is CVE-2021-21305?

CVE-2021-21305 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2021-21305?

Check the references section above for vendor advisories and patch information. Affected products include: Carrierwave Project Carrierwave.

Vulnerability Description

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

CVSS Score

7.4

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Affected Products

Vendor	Product	Versions
Carrierwave Project	Carrierwave	< 1.3.2

Related Weaknesses (CWE)

CWE-74 CWE-94

References

https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132-Release NotesThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211-Release NotesThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938PatchThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3wExploitThird Party Advisory
https://rubygems.org/gems/carrierwaveProductThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132-Release NotesThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211-Release NotesThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938PatchThird Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3wExploitThird Party Advisory
https://rubygems.org/gems/carrierwaveProductThird Party Advisory

FAQ

What is CVE-2021-21305?

CVE-2021-21305 is a vulnerability with a CVSS score of 7.4 (HIGH). CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnera...

How severe is CVE-2021-21305?

CVE-2021-21305 has been rated HIGH with a CVSS base score of 7.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-21305?

Check the references section above for vendor advisories and patch information. Affected products include: Carrierwave Project Carrierwave.