Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
Paperclip gem provides multiple ways a file can be uploaded to a web server.
The vulnerability affects two of Paperclip’s IO adapters that accept URLs as
attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are
used, Paperclip acts as a proxy and downloads the file from the website URI
that is passed in. The library does not perform any validation to protect
against Server Side Request Forgery (SSRF) exploits by default. This may allow
a remote attacker to access information about internal network resources.
- ">= 5.2.0"
url: '["https://nvd.nist.gov/vuln/detail/CVE-2017-0889", "https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4"]'