Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: paperclip
date: 2018-01-23
url: https://github.com/thoughtbot/paperclip/pull/2435
cve: 2017-0889
title: |
  Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
  in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
description: |
  Paperclip gem provides multiple ways a file can be uploaded to a web server.
  The vulnerability affects two of Paperclip’s IO adapters that accept URLs as
  attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are
  used, Paperclip acts as a proxy and downloads the file from the website URI
  that is passed in. The library does not perform any validation to protect
  against Server Side Request Forgery (SSRF) exploits by default. This may allow
  a remote attacker to access information about internal network resources.
cvss_v2: '7.5'
patched_versions:
- ">= 5.2.0"
related:
  url: '["https://nvd.nist.gov/vuln/detail/CVE-2017-0889", "https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4"]'