Sha256: 569870c5a75c87991f9edb525ba73b8b625d276888cbd636252ffa1399e5043a

Contents?: true

Size: 1.02 KB

Versions: 3

Compression:

Stored size: 1.02 KB

Contents

---
gem: paperclip
cve: 2017-0889
url: https://github.com/thoughtbot/paperclip/pull/2435
date: 2018-01-23
title: |
  Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
  in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
description: |
  Paperclip gem provides multiple ways a file can be uploaded to a web server.
  The vulnerability affects two of Paperclip’s IO adapters that accept URLs as
  attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are
  used, Paperclip acts as a proxy and downloads the file from the website URI
  that is passed in. The library does not perform any validation to protect
  against Server Side Request Forgery (SSRF) exploits by default. This may allow
  a remote attacker to access information about internal network resources.
cvss_v2: 7.5
patched_versions:
  - ">= 5.2.0"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-0889
    - https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/gems/paperclip/CVE-2017-0889.yml
bundler-budit-0.6.2 data/ruby-advisory-db/gems/paperclip/CVE-2017-0889.yml
bundler-budit-0.6.1 data/ruby-advisory-db/gems/paperclip/CVE-2017-0889.yml