Updated advisory posts against rubysec/ruby-advisory-db@840f21a

jasnow · RubySec CI · commit e1d8ce331c29 · 2024-03-26T23:28:01.000Z
diff --git a/advisories/_posts/2024-03-25-CVE-2024-29034.md b/advisories/_posts/2024-03-25-CVE-2024-29034.md
@@ -0,0 +1,74 @@
+---
+layout: advisory
+title: 'CVE-2024-29034 (carrierwave): CarrierWave content-Type allowlist bypass vulnerability
+  which possibly leads to XSS remained'
+comments: false
+categories:
+- carrierwave
+advisory:
+  gem: carrierwave
+  cve: 2024-29034
+  ghsa: vfmv-jfc5-pjjw
+  url: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
+  title: CarrierWave content-Type allowlist bypass vulnerability which possibly leads
+    to XSS remained
+  date: 2024-03-25
+  description: |
+    ### Impact
+
+    The vulnerability [CVE-2023-49090](https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj)
+    wasn't fully addressed.
+
+    This vulnerability is caused by the fact that when uploading to
+    object storage, including Amazon S3, it is possible to set a
+    Content-Type value that is interpreted by browsers to be different
+    from what's allowed by `content_type_allowlist`, by providing
+    multiple values separated by commas.
+
+    This bypassed value can be used to cause XSS.
+
+    ### Patches
+
+    Upgrade to [3.0.7](https://rubygems.org/gems/carrierwave/versions/3.0.7) or [2.2.6](https://rubygems.org/gems/carrierwave/versions/2.2.6).
+
+    ### Workarounds
+    Use the following monkey patch to let CarrierWave parse the
+    Content-type by using `Marcel::MimeType.for`.
+
+    ```ruby
+    # For CarrierWave 3.x
+    CarrierWave::SanitizedFile.class_eval do
+      def declared_content_type
+        @declared_content_type ||
+          if @file.respond_to?(:content_type) && @file.content_type
+            Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
+          end
+      end
+    end
+    ```
+
+    ```ruby
+    # For CarrierWave 2.x
+    CarrierWave::SanitizedFile.class_eval do
+      def existing_content_type
+        if @file.respond_to?(:content_type) && @file.content_type
+          Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
+        end
+      end
+    end
+    ```
+
+    ### References
+
+    [OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)
+  cvss_v3: 6.8
+  patched_versions:
+  - "~> 2.2.6"
+  - ">= 3.0.7"
+  related:
+    url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-29034
+    - https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
+    - https://github.com/carrierwaveuploader/carrierwave/commit/25b1c800d45ef8e78dc445ebe3bd8a6e3f0a3477
+    - https://github.com/advisories/GHSA-vfmv-jfc5-pjjw
+---
