CVE-2022-2815: Publify Core does not strip metadata from images
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45463%
CWE
Published
1/14/2023
Updated
1/23/2023
KEV Status
No
Technology
Ruby
RubyTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| publify_core | rubygems | < 9.2.10 | 9.2.10 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from Publify Core's failure to strip EXIF metadata from uploaded images. The patch introduced two new CarrierWave processes (strip and fix_exif_rotation) in ResourceUploader to address this. In vulnerable versions (<9.2.10), these processes were absent, leaving the system's image processing pipeline incomplete and allowing insecure storage of sensitive metadata. The primary vulnerable component is the image processing workflow in ResourceUploader, which lacked critical sanitization steps.