RubySec

Providing security resources for the Ruby community

CVE-2024-22049 (httparty): httparty has multipart/form-data request tampering vulnerability

ADVISORIES

GEM

httparty

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

  • >= 0.21.0

DESCRIPTION

HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0, due to lack of proper escaping of double quotes within the filename attribute of the Content-Disposition header. If the Content-Disposition header is set to "form-data" and contains the "filename" attribute, and the "filename" attribute contains a double quote followed by additional attributes, then those attributes will be parsed as Content-Disposition attributes and will override the Content-Disposition header's previous attributes.

Content-Disposition: form-data; name=&quot;avatar&quot;; filename=&quot;overwrite_name_field_and_extension.sh&quot;; name=&quot;foo&quot;; dummy=&quot;.txt&quot;

RELATED