What is CVE-2021-21288?

CVE-2021-21288 is a vulnerability in CarrierWave, an open-source RubyGem, that allows for server-side request forgery (SSRF).

What is the severity of CVE-2021-21288?

The severity of CVE-2021-21288 is medium with a CVSS score of 4.3.

How does CVE-2021-21288 affect CarrierWave?

CVE-2021-21288 affects CarrierWave versions 1.3.2 and 2.1.1, allowing attacks to provide DNS entries or IP addresses intended for internal networks.

How can I fix CVE-2021-21288?

To fix CVE-2021-21288, upgrade to CarrierWave version 1.3.2 or 2.1.1 or later.

Where can I find more information about CVE-2021-21288?

You can find more information about CVE-2021-21288 on the CarrierWave GitHub repository and the provided references.

Vulnerability/
CVE-2021-21288

medium

4.3

CWE

918

8/2/2021

3/8/2024

CVE-2021-21288: Server-side request forgery in CarrierWave

First published: Mon Feb 08 2021(Updated: )

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform. This is fixed in versions 1.3.2 and 2.1.1.

Credit: security-advisories@github.com

Affected Software	Affected Version	How to fix
Carrierwave	<1.3.2
Carrierwave	>=2.0.1<2.1.1

Remedy

https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2021-21288?
CVE-2021-21288 is a vulnerability in CarrierWave, an open-source RubyGem, that allows for server-side request forgery (SSRF).
What is the severity of CVE-2021-21288?
The severity of CVE-2021-21288 is medium with a CVSS score of 4.3.
How does CVE-2021-21288 affect CarrierWave?
CVE-2021-21288 affects CarrierWave versions 1.3.2 and 2.1.1, allowing attacks to provide DNS entries or IP addresses intended for internal networks.
How can I fix CVE-2021-21288?
To fix CVE-2021-21288, upgrade to CarrierWave version 1.3.2 or 2.1.1 or later.
Where can I find more information about CVE-2021-21288?
You can find more information about CVE-2021-21288 on the CarrierWave GitHub repository and the provided references.

agent/type
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/title
agent/author
agent/remedy
agent/severity
agent/weakness
agent/last-modified-date
agent/references
agent/first-publish-date
agent/event
agent/description
agent/source
agent/tags
collector/nvd-index
agent/software-canonical-lookup-request
vendor/carrierwave project
canonical/carrierwave
version/carrierwave/2.0.1

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.