CVE-2017-0889 (paperclip): Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.

ADVISORIES

CVE-2017-0889 (NVD)
GHSA-5jcf-c5rg-rmm8
Vendor Advisory

GEM

paperclip

SEVERITY

CVSS v3.x: 9.8 (Critical)

CVSS v2.0: 7.5 (High)

PATCHED VERSIONS

>= 5.2.0

DESCRIPTION

Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in. The library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits by default. This may allow a remote attacker to access information about internal network resources.

https://nvd.nist.gov/vuln/detail/CVE-2017-0889
https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4

RubySec

CVE-2017-0889 (paperclip): Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories