Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2021-21305: carrierwave/CHANGELOG.md at master · carrierwaveuploader/carrierwave

CarrierWave is an open-source RubyGem which provides a simple and flexible way to upload files from Ruby applications. In CarrierWave before versions 1.3.2 and 2.1.1, there is a code injection vulnerability. The “#manipulate!” method inappropriately evals the content of mutation option(:read/:write), allowing attackers to craft a string that can be executed as a Ruby code. If an application developer supplies untrusted inputs to the option, it will lead to remote code execution(RCE). This is fixed in versions 1.3.2 and 2.1.1.

CVE
#vulnerability#google#js#rce#ssrf#aws#auth

Carrierwave History/Changelog

All notable changes to this project will be documented in this file. This project adheres to Semantic Versioning.

[Unreleased]****Removed

  • Remove support for Merb (@seuros #2566)

2.2.2 - 2021-05-28****Fixed

  • Fix no implicit conversion of CSV into String error when parsing a CSV object (@pjmartorell #2562, #2559)

2.2.1 - 2021-03-30****Changed

  • Replace mimemagic with marcel due to licensing concern (@pjmartorell #2551, #2548)

Fixed

  • Fog storage’s #clean_cache! breaks when non-cache objects exist in cache_dir (@mshibuya 42c620a1, #2532)

2.2.0 - 2021-02-23****Added

  • libvips support through ImageProcessing::Vips and ruby-vips (@rhymes #2500, e8421978, 4ae8dc64)
  • Provide alternatives to whitelist/blacklist terminology as allowlist/denylist, while old ones are still available but deprecated (@grantbdev #2442, 4c3cac75, #2491)
  • Support for the latest version of RMagick (@mshibuya 88f24451)

Deprecated

  • #(content_type|extension)_whitelist, #(content_type|extension)_blacklist are deprecated. Use #(content_type|extension)_allowlist and #(content_type|extension)_denylist instead (@grantbdev #2442, 4c3cac75)

Fixed

  • Calculate Fog expiration taking DST into account (@mshibuya, f90e14ca, #2059)
  • Set correct content type on copy of fog files (@ZuevEvgenii #2503, 6682f7ac, #2487)
  • Fix fog-google support to pass acl_header for public read if fog is public (@yosiat #2525, #2426)
  • Fix various URL escape issues by escaping on URI parse error only (@mshibuya 3faf7491, #2457, #2473)
  • Fix instance variables @versions_to_* not initialized warning (@mshibuya c10b82ed, #2493)
  • Fix SanitizedFile#move_to wrongly detects content_type based on the path before move (@mshibuya a42e1b4c, #2495)
  • Fix returning invalid content type on text files (@inkstak #2474, #2424)
  • Skip content type and extension filters where possible (@alexpooley #2464)
  • Fix file’s #url being called twice, which might be costly for non-local files (@skyeagle #2519)
  • Fix mime type detection failing with types which contain + symbol, such as image/svg+xml (@sylvainbx #2489)
  • Fix #cached? to return boolean instead of @cache_id value (@kmiyake #2510)
  • Fix mime type detection for MS Office files (@anthonypenner #2447)

Security

  • Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 387116f5, GHSA-cf3w-g86h-35x4)
  • Fix SSRF vulnerability in the remote file download feature (@mshibuya 012702eb, GHSA-fwcm-636p-68r5)

2.1.1 - 2021-02-08****Security

  • Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya 15bcf8d8, GHSA-cf3w-g86h-35x4)
  • Fix SSRF vulnerability in the remote file download feature (@mshibuya e0f79e36, GHSA-fwcm-636p-68r5)

2.1.0 - 2020-02-16****Added

  • Support authenticated_url for Blackblaze provider(@kevivmatrix #2444)

Fixed

  • Fix Ruby 2.7 deprecations(@mshibuya 9a37fc9e)
  • Fix S3 path-style URL for host with dots for buckets that are placed in other regions than us-east-1(@Bonias #2439)
  • Make MiniMagick::Image constant absolute to prevent misleading ‘uninitialized constant’ error(@p8 #2437)

2.0.2 - 2019-09-28****Fixed

  • Fix download causing nil error if the file has empty filename(@fukayatsu #2419, #2411)

2.0.1 - 2019-08-31****Fixed

  • Fix #{column}_cache unintentionally removing files on assigning empty string(@mshibuya 22e8005e, #2412)

2.0.0 - 2019-08-18

No changes.

2.0.0.rc - 2019-06-23****Added

  • Append, reorder, and remove-single-file feature for multiple file uploader(@mshibuya #2401)
  • Allow retrieval of uploader index within uploaders(@mshibuya #1771)
  • Add ability to customize downloaders(@mshibuya #1636)
  • Support internationalized domain names for downloader(@mshibuya #2086)
  • Support authenticated_url for Aliyun provider(@Nitrino #2381)
  • Support passing options to authenticated_url for OpenStack provider(@stanhu #2377)
  • Support authenticated_url for AzureRM provider(@Nitrino #2375)
  • Allow custom expires_at when building an authenticated_url(@stephankaag #2397)

Changed

  • [BREAKING CHANGE] Use the storage given by storage configuration also for cache_storage unless explicitly specified(@mshibuya 629afecb)
  • Improve Fog initialization(@mshibuya #2395)
  • [BREAKING CHANGE] Multiple file uploader now keeps successful files on update, only discarding failed ones(@mshibuya 7db9195d)
  • [BREAKING CHANGE] #remote_#{column}_urls= was changed to preserve precedent updates(@mshibuya 8f18a95b)
  • #serializable_hash now returns string for version keys(@schovi #2246)
  • Use the MimeMagic gem to inspect file headers for the mime type. This allows for mitigation of CVE-2016-3714, in combination with a content_type_whitelist(@locriani #1934)
  • Replace mime-types dependency with mini_mime to save memory(@bradleypriest #2292)
  • Delegate MiniMagick processing to ImageProcessing gem(@janko #2298)
  • Handle ActiveRecord transaction correctly, not storing or removing files on rollback(@skosh #2209)

Deprecated

  • fog_provider configuration was deprecated and has no effect, just adding fog providers to Gemfile will load them(@mshibuya ca201ee2)
  • CarrierWave::Uploader::Base#sanitized_file was deprecated, use #file instead(@mshibuya 28190e99)

Removed

  • Remove support for Rails 4.x and Ruby 2.0/2.1 (@mshibuya bada043f)

Fixed

  • Fix deleting files twice when marked for removal(@mshibuya 67800fde)
  • Fix uploader.cache! loads entire contents of file into memory(@mshibuya #2136)
  • Do not trigger *_will_change! when file is not to be removed(@mshibuya #2323)
  • Allow deleting all files for multiple file upload(@mshibuya #1990)
  • Failing to retrieve unquoted filenames from Content-Disposition(@mshibuya #2364)
  • Fix #clean_cache! breaking with old format of cache id(@mshibuya aab402fb)
  • Fix #exists? returning true after Fog file deletion(@mshibuya #2387)
  • Make #identifier available for a retrieved file(@mshibuya #1581)
  • Make cache id generation less predictable(@mshibuya #2326)
  • Uploaders not being cleared when #reload or #initialize_dup are overridden in model(@mshibuya #2379)
  • Fix #content_type returning false, instead of nil(@longkt90 #2384)
  • Preserve connection cache when eagar-loading fog(@dmitryshagin #2383)
  • #recreate_versions! ignored :from_version when versions to recreate are given(@hedgesky #1879 #1164)

1.3.2 - 2021-02-08****Fixed

  • Fix Ruby 2.7 deprecations(@aubinlrx #2462)

Security

  • Fix Code Injection vulnerability in CarrierWave::RMagick (@mshibuya eb9346df, GHSA-cf3w-g86h-35x4)
  • Fix SSRF vulnerability in the remote file download feature (@mshibuya 91714add, GHSA-fwcm-636p-68r5)

1.3.1 - 2018-12-29****Fixed

  • Fix #url_options_supported? causing nil error(@mshibuya 0b9a64a1, #2361)

1.3.0 - 2018-12-24****Added

  • Query parameter support for fog-google(@stanhu #2332)
  • Jets Turbine Support(@tongueroo #2355)
  • Add allowed_types to content_type_whitelist_error(@mhluska #2270)

Fixed

  • S3 HTTPS url causes certificate issue when bucket name contains period(@ransombriggs #2359)
  • Failed to get image dimensions when image is cached but not stored yet(@artygus #2349)
  • Only include x-amz-acl header for AWS(@stanhu #2356)
  • Remove old caches when no space is left on disk(@dosuken123 #2342)

1.2.3 - 2018-06-30****Fixed

  • Fix reading whole content of large files into memory on storing(@dosuken123 #2314)

1.2.2 - 2018-01-02****Fixed

  • Reset Content-Type on converting file format(@kyoshidajp #2237)

1.2.1 - 2017-10-04****Fixed

  • Locale check breaks when a Symbol is given to available_locales(@mshibuya #2234)

1.2.0 - 2017-09-30****Added

  • Added Proc Support for Width and Height(@tomprats #2169)

Changed

  • Decode unicode filenames from URL(@fedorkk #2131)
  • Change file size of error message to human size(@aki77 #2199)

Fixed

  • Bundled en translation was not loaded by default, causing translation missing(@mshibuya 95ce39d3)
  • Remove potentially redundant HEAD request on checking fog file existence(@eritiro #2140)
  • Failing with uninitialized constant if uri is not loaded(@jasdeepsingh #2223)
  • RMagick cloud not process remotely stored files(@zog #2185)
  • Check if files are identical via FS rather than name before move(@riffraff #2191)
  • Regexp extension_whitelist is also case-insensitive now(@vmdhoke #2201)
  • Use __send__ instead of send (@dminuoso #2178)

1.1.0 - 2017-04-30****Added

  • Rails 5.1 compatibility(@paulsturgess #2130, #2133)
  • Support for process callback(@cfcosta #2045)
  • S3 Transfer Acceleration support(@krekoten #2108)
  • Allow non-argument options to be passed in mini magick combine_options(@krismartin #2097)

Fixed

  • Stop falling back to en locale when I18n is missing(@kryzhovnik #2083)
  • Allow nagative timestamp in cache id(@NickOttrando #2092)
  • Avoid calling file.url twice(@lukeasrodgers #2078)
  • Content Type being reset when moving cached file(@dweinand #2117)

1.0.0 - 2016-12-24

No changes.

1.0.0.rc - 2016-10-30****Added

  • Ability to set custom request headers on downloading remote URL(@mendab1e #2006)

Changed

  • Re-enable public_url optimization for Google Cloud Storage(@nikz #2039)

Fixed

  • Fix clean_cache! deleting unexpired files due to RegExp mismatch(@t-oginogin #2036)

1.0.0.beta - 2016-09-08****Added

  • Rails 5 support (@mshibuya)
  • Add #width and #height methods to the RMagick processor (@mehlah #1805)
  • Add a test matcher for the format (@yanivpr #1758)
  • Support of MiniMagick’s Combine options (@bernabas #1754)
  • Validate with the actual content-type of files (@eavgerinos)
  • Support for multiple file uploads with mount_uploaders method (@jnicklas and @lisarutan #1481)
  • Add a cache_only configuration option, useful for testing (@jeffkreeftmeijer #1456)
  • Add #width and #height methods to MiniMagick processor (@ShivaVS #1405)
  • Support for jRuby (@lephyrius #1377)
  • Make cache storage configurable (@mshibuya #1312)
  • Errors on file size (@gautampunhani #1026)

Changed

  • Blank uploaders are now memoized on the model instance (@DarthSim #1860)
  • #content_type_whitelist and extension_whitelist now takes either a string, a regexp, or an array of values (same thing for blacklists) (@mehlah #1825)
  • [BREAKING CHANGE] Rename extension_white_list ~> extension_whitelist (@mehlah #1819)
  • [BREAKING CHANGE] Rename extension_black_list ~> extension_blacklist (@mehlah #1819)
  • [BREAKING CHANGE] Rename i18n keys extension_black_list_error ~> extension_blacklist_error and extension_white_list_error ~> extension_whitelist_error (@mehlah)
  • Accept an array of strings or regexps to white/blacklist content types (@mehlah #1816)
  • Add counter to cache_id (@thomasfedb #1797)
  • [BREAKING CHANGE] Allow non-ASCII filename by default (@shuhei #1772)
  • [BREAKING CHANGE] to_json behavior changed when serializing an uploader (@jnicklas and @lisarutan #1481)
  • Better error when the configured storage is unknown (@st0012 #1779)
  • Allow to pass additionnal options to Rackspace authenticated_url (@duhast #1722)
  • Reduced memory footprint (@schneems #1652, @simonprev #1706)
  • Improve Fog Loading (@plribeiro3000 #1620, @eavgerinos)
  • All locales from config.i18n.available_locales are added to load_path (@printercu #1521)
  • Do not display RMagick exception in I18n message (manuelpradal #1361)
  • [BREAKING CHANGE] #default_url now accepts the same args passed to #url (@shekibobo #1347)

Removed

  • All locale files other than en are now in carrierwave-i18n (@mehlah #1848)
  • Remove CarrierWave::MagicMimeTypes processor module (@mehlah #1816)
  • Remove dependency on ruby-filemagic in white/blacklist content types (@mehlah #1816)
  • Remove CarrierWave::MimeTypes processor module (@mehlah #1813)
  • Remove support for Rails 3.2 and Ruby 1.8/1.9 (@bensie 2517d668)

Fixed

  • Don’t raise an error when content_type is called on a deleted file (@jvenezia #1915)
  • #remove_previous fails to detect equality when mount_on option is set (@mshibuya 44cfb7c0)
  • Fix Mounter.blank? method (@Bonias #1746)
  • Reset remove_#{column} after invoking remove_#{column} (@eavgerinos #1668)
  • Change Google’s url to the public_url (@m7moud #1683)
  • Do not write to ActiveModel::Dirty changes when assigning something blank to a mounter that was originally blank (@eavgerinos #1635)
  • Various grammar and typos fixes to error messages translations
  • Don’t error when size is called on a deleted file (@danielevans #1561)
  • Flush mounters on #dup of active record model (@danielevans #1544)
  • Fog::File.read returns its contents after upload instead of “closed stream” error (@stormsilver #1517)
  • Don’t read file twice when calling sanitized_file or cache! (@felixbuenemann #1476)
  • Change image extension when converting formats (@nashby #1446)
  • Fix file delete being called twice on remove (@adamcrown #1441)
  • RSpec 3 support (@randoum #1421, @akiomik #1370)
  • MiniMagick convert to a format all the pages by default and accept an optional page number parameter to convert specific pages (@harikrishnan83 #1408)
  • Fix cache workfile collision between versions (@jvdp #1399)
  • Reset mounter cache on record reload (@semenyukdmitriy #1383)
  • Retrieve only active versions of files (@filipegiusti #1351)
  • Fix default gravity in MiniMagick resize_and_pad (@abevoelker #1358)
  • Skip loading RMagick if already loaded (@mshibuya #1346)
  • Make the #remove_#{column} accessor set the mounted column as changed (@nikz #1326)
  • Tempfile and @content_type assignment (@bensie #1487)

0.11.0 - 2016-03-29****Added****Changed

  • cache_id is now less collision-prone thanks to a counter (@stillwaiting and @mtsmfm #1866)

Removed****Fixed

  • Fix require RMagick deprecation warning (@thomasfedb and @bensie #1788)

0.10.0 - 2014-02-26

Please check 0.10-stable for previous changes.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907