Description
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
References (9)
Core 9
Core References
Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
Mailing List
https://lists.fedoraproject.org/archives/list/[email protected]/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
Mailing List, Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html
Exploit, Patch, Vendor Advisory vendor-advisory
https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
Exploit related
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
Exploit, Third Party Advisory third-party-advisory
https://github.com/advisories/GHSA-5pq7-52mg-hr42
Patch, Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42
Scores
CVSS v3
5.3
EPSS
0.0129
EPSS Percentile
66.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-472
Status
published
Products (6)
debian/debian_linux
10.0
debian/debian_linux
11.0
fedoraproject/fedora
38
fedoraproject/fedora
39
jnunemaker/httparty
< 0.21.0
rubygems/httparty
0 - 0.21.0RubyGems
Published
Jan 04, 2024
Tracked Since
Feb 18, 2026