6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29034

GHSA ID

GHSA-vfmv-jfc5-pjjw

EPSS Score

0.07682%

CWE

CWE-79

Published

3/25/2024

Updated

3/27/2024

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-29034

CVE-2024-29034: CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @declared_content_type ||
      if @file.respond_to?(:content_type) && @file.content_type
        Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
      end
  end
end

# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @file.respond_to?(:content_type) && @file.content_type
      Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

(GitHub Advisory)

6.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-29034

GHSA ID

GHSA-vfmv-jfc5-pjjw

EPSS Score

0.07682%

CWE

CWE-79

Published

3/25/2024

Updated

3/27/2024

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
carrierwave	rubygems	>= 3.0.0, < 3.0.7	3.0.7
carrierwave	rubygems	< 2.2.6	2.2.6

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper Content-Type parsing in CarrierWave's sanitization logic. The commit diff shows critical changes to content type handling in sanitized_file.rb, replacing direct @file.content_type access with Marcel MIME type parsing. The vulnerable functions directly used the raw Content-Type header without properly extracting the primary MIME type, allowing attackers to bypass allowlists by providing multiple types (e.g., 'text/html, image/png'). Browser interpretation of the first valid MIME type while CarrierWave's validation saw the full string created the mismatch. The patch explicitly adds Marcel parsing and tests for multi-value scenarios, confirming these functions were the vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t T** vuln*r**ility [*V*-****-*****](*ttps://*it*u*.*om/**rri*rw*v*uplo***r/**rri*rw*v*/s**urity/**visori*s/**S*-*x*x-***q-***j) w*sn't *ully ***r*ss**. T*is vuln*r**ility is **us** *y t** ***t t**t w**n uplo**in* to o*j**t stor***, in*lu*i

Reasoning

T** vuln*r**ility st*ms *rom improp*r *ont*nt-Typ* p*rsin* in **rri*rW*v*'s s*nitiz*tion lo*i*. T** *ommit *i** s*ows *riti**l ***n**s to *ont*nt typ* **n*lin* in s*nitiz**_*il*.r*, r*pl**in* *ir**t @*il*.*ont*nt_typ* ****ss wit* M*r**l MIM* typ* p*r

6.8

Basic Information

Concerned about an active attack path?

CVE-2024-29034: CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

Impact

Patches

Workarounds

References

6.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI