RubySec

Providing security resources for the Ruby community

GHSA-5pq7-52mg-hr42 (httparty): httparty has multipart/form-data request tampering vulnerability

ADVISORIES

GEM

httparty

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

  • >= 0.21.0

DESCRIPTION

"multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

By exploiting this problem, the following attacks are possible

  • An attack that rewrites the \"name\" field according to the crafted file name, impersonating (overwriting) another field.
  • Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.

RELATED