RubySec

Providing security resources for the Ruby community

CVE-2021-21288 (carrierwave): Server-side request forgery in CarrierWave

ADVISORIES

GEM

carrierwave

SEVERITY

CVSS v3: 4.3

PATCHED VERSIONS

  • ~> 1.3.2
  • >= 2.1.1

DESCRIPTION

Impact

[CarrierWave download feature](https://github.com/carrierwaveuploader/carrierwave#uploading-files-from-a-remote-location has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.

Patches

Upgrade to 2.1.1 or 1.3.2.

Workarounds

Using proper network segmentation and applying the principle of least privilege to outbound connections from application servers can reduce the severity of SSRF vulnerabilities. Ideally the vulnerable gem should run on an isolated server without access to any internal network resources or cloud metadata access.