Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Code Injection vulnerability in CarrierWave
Vulnerability Description
CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The "#manipulate!" method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Vulnerability Type
输出中的特殊元素转义处理不恰当(注入)
Vulnerability Title
Mshibuya CarrierWave 代码代码注入漏洞
Vulnerability Description
Mshibuya CarrierWave是美国Mshibuya个人组织的一个上传工具。提供了一种简单且极为灵活的方式来从Ruby应用程序上传文件。 Mshibuya CarrierWave 1.3.2和2.1.1之前版本存在代码注入漏洞,该漏洞源于#manipulate!方法不恰当地求值了突变选项(:read/:write)的内容,从而允许攻击者创建一个可以作为Ruby代码执行的字符串。如果应用程序开发人员向该选项提供不受信任的输入,则会导致远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A