CVE-2021-21288
MEDIUMCarrierWave < 1.3.2 - Server-Side Request Forgery via Download Feature
Title source: llmDescription
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.
References (5)
Core 5
Core References
Third Party Advisory x_refsource_confirm
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
Product, Third Party Advisory x_refsource_misc
https://rubygems.org/gems/carrierwave/
Patch, Third Party Advisory x_refsource_misc
https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08
Scores
CVSS v3
4.3
EPSS
0.0020
EPSS Percentile
41.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Details
CWE
CWE-918
Status
published
Products (2)
carrierwave_project/carrierwave
< 1.3.2
rubygems/carrierwave
0 - 1.3.2RubyGems
Published
Feb 08, 2021
Tracked Since
Feb 18, 2026