CVE-2024-22049 — MEDIUM (5.3)

Q: How severe is CVE-2024-22049?

CVE-2024-22049 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2024-22049?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Jnunemaker Httparty.

Vulnerability Description

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Debian	Debian Linux	10.0
Fedoraproject	Fedora	38
Jnunemaker	Httparty	< 0.21.0

Related Weaknesses (CWE)

CWE-472

References

https://github.com/advisories/GHSA-5pq7-52mg-hr42ExploitThird Party Advisory
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa4Exploit
https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ePatch
https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42ExploitPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00011.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List
https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42PatchThird Party Advisory
https://github.com/advisories/GHSA-5pq7-52mg-hr42ExploitThird Party Advisory
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa4Exploit
https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ePatch
https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42ExploitPatchVendor Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00011.htmlMailing ListThird Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00043.htmlMailing ListThird Party Advisory
https://lists.fedoraproject.org/archives/list/[email protected]Mailing List

FAQ

What is CVE-2024-22049?

CVE-2024-22049 is a vulnerability with a CVSS score of 5.3 (MEDIUM). httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uplo...

How severe is CVE-2024-22049?

CVE-2024-22049 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2024-22049?

Check the references section above for vendor advisories and patch information. Affected products include: Debian Debian Linux, Fedoraproject Fedora, Jnunemaker Httparty.