RubySec

Providing security resources for the Ruby community

CVE-2017-0889 (paperclip): Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.

ADVISORIES

GEM

paperclip

SEVERITY

CVSS v2: 7.5 (High)

PATCHED VERSIONS

  • >= 5.2.0

DESCRIPTION

Paperclip gem provides multiple ways a file can be uploaded to a web server. The vulnerability affects two of Paperclip’s IO adapters that accept URLs as attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in. The library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits by default. This may allow a remote attacker to access information about internal network resources.