6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49090

GHSA ID

GHSA-gxhx-g4fq-49hj

EPSS Score

0.34822%

CWE

CWE-79

Published

11/29/2023

Updated

11/30/2023

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-49090

CVE-2023-49090: CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

Impact

CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.

The validation in allowlisted_content_type? determines Content-Type permissions by performing a partial match. If the content_type argument of allowlisted_content_type? is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist will be allowed.

In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.

Patches

Upgrade to 3.0.5 or 2.2.5.

Workarounds

When validating with allowlisted_content_type? in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A) the Content-Type set in content_type_allowlist, preventing unintentional permission of text/html;image/png when you want to allow only image/png in content_type_allowlist.

References

OWASP - File Upload Cheat Sheet

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-49090

GHSA ID

GHSA-gxhx-g4fq-49hj

EPSS Score

0.34822%

CWE

CWE-79

Published

11/29/2023

Updated

11/30/2023

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
carrierwave	rubygems	>= 3.0.0, < 3.0.5	3.0.5
carrierwave	rubygems	< 2.2.5	2.2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The core vulnerability stems from the regex implementation in content type validation functions. The commit diff shows the critical fix was adding \A regex anchors to enforce start-of-string matching in both allowlist/whitelist variants. The vulnerability description explicitly calls out partial matching in allowlisted_content_type? as the root cause, and the added test cases demonstrate crafted Content-Type bypass scenarios that this function's flawed implementation allowed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t [**rri*rW*v*::Uplo***r::*ont*ntTyp**llowlist](*ttps://*it*u*.*om/**rri*rw*v*uplo***r/**rri*rw*v*/*lo*/m*st*r/li*/**rri*rw*v*/uplo***r/*ont*nt_typ*_*llowlist.r*) **s * *ont*nt-Typ* *llowlist *yp*ss vuln*r**ility, possi*ly l***in* to XSS.

Reasoning

T** *or* vuln*r**ility st*ms *rom t** r***x impl*m*nt*tion in *ont*nt typ* v*li**tion *un*tions. T** *ommit *i** s*ows t** *riti**l *ix w*s ***in* \* r***x *n**ors to *n*or** st*rt-o*-strin* m*t**in* in *ot* *llowlist/w*it*list v*ri*nts. T** vuln*r**

6.8

Basic Information

Concerned about an active attack path?

CVE-2023-49090: CarrierWave Content-Type allowlist bypass vulnerability, possibly leading to XSS

Impact

Patches

Workarounds

References

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI