ADVISORIES

• GHSA-5pq7-52mg-hr42
• Vendor Advisory

GEM

httparty

SEVERITY

CVSS v3.x: 6.5 (Medium)

PATCHED VERSIONS

• >= 0.21.0

DESCRIPTION

"multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

By exploiting this problem, the following attacks are possible

• An attack that rewrites the \"name\" field according to the crafted file name, impersonating (overwriting) another field.
• Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.

RELATED

• https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
• https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
• https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
• https://bugzilla.mozilla.org/show_bug.cgi?id=1556711