CVE-2021-21305 – CarrierWave (18th Feb 2021)

Preface: CarrierWave provides a simple and extremely flexible way to upload files from Ruby applications. Ruby On Rails Companies Websites are popular. It covered all your familiar areas – Airbnb, Groupon, GitHub, Twitter, Zendesk, Bloomberg…

Background: CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability.

Vulnerability details: The “#manipulate!” method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). For more details, please refer to diagram.

Workaround: It is recommended to stop supplying untrusted input to #manipulate!’s mutation option.

Remedy: upgrade to 2.1.1 or 1.3.2.

Reference: RubyGems is a package manager for Ruby. It provides a standard format “gem” for distributing Ruby programs and libraries. It is designed to conveniently manage gem installation tools and servers for distributing gems. This is similar to Python’s pip.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.