Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Server-side request forgery in CarrierWave
Vulnerability Description
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vulnerability Type
服务端请求伪造(SSRF)
Vulnerability Title
CarrierWave 代码问题漏洞
Vulnerability Description
Mshibuya CarrierWave是美国Mshibuya个人组织的一个上传工具。提供了一种简单且极为灵活的方式来从Ruby应用程序上传文件。 CarrierWave 1.3.2和2.1.1之前的版本中存在代码问题漏洞,该漏洞源于允许攻击者提供用于内部使用的DNS表项或IP地址,并收集平台的内网基础设施信息。
CVSS Information
N/A
Vulnerability Type
N/A