GHSA SYNC: 1 new advisory

jasnow · postmodern · commit 840f21aeeb8a · 2024-03-26T16:27:16.000-07:00
diff --git a/gems/carrierwave/CVE-2024-29034.yml b/gems/carrierwave/CVE-2024-29034.yml
@@ -0,0 +1,67 @@
+---
+gem: carrierwave
+cve: 2024-29034
+ghsa: vfmv-jfc5-pjjw
+url: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
+title: CarrierWave content-Type allowlist bypass vulnerability
+  which possibly leads to XSS remained
+date: 2024-03-25
+description: |
+  ### Impact
+
+  The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj)
+  wasn't fully addressed.
+
+  This vulnerability is caused by the fact that when uploading to
+  object storage, including Amazon S3, it is possible to set a
+  Content-Type value that is interpreted by browsers to be different
+  from what's allowed by `content_type_allowlist`, by providing
+  multiple values separated by commas.
+
+  This bypassed value can be used to cause XSS.
+
+  ### Patches
+
+  Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).
+
+  ### Workarounds
+  Use the following monkey patch to let CarrierWave parse the
+  Content-type by using `Marcel::MimeType.for`.
+
+  ```ruby
+  # For CarrierWave 3.x
+  CarrierWave::SanitizedFile.class_eval do
+    def declared_content_type
+      @declared_content_type ||
+        if @file.respond_to?(:content_type) && @file.content_type
+          Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
+        end
+    end
+  end
+  ```
+
+  ```ruby
+  # For CarrierWave 2.x
+  CarrierWave::SanitizedFile.class_eval do
+    def existing_content_type
+      if @file.respond_to?(:content_type) && @file.content_type
+        Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
+      end
+    end
+  end
+  ```
+
+  ### References
+
+  [OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)
+
+cvss_v3: 6.8
+patched_versions:
+  - "~> 2.2.6"
+  - ">= 3.0.7"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-29034
+    - https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
+    - https://github.com/carrierwaveuploader/carrierwave/commit/25b1c800d45ef8e78dc445ebe3bd8a6e3f0a3477
+    - https://github.com/advisories/GHSA-vfmv-jfc5-pjjw
