---
gem: paperclip
cve: 2017-0889
url: https://github.com/thoughtbot/paperclip/pull/2435
date: 2018-01-23
title: |
  Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF) vulnerability
  in the Paperclip::UriAdapter and Paperclip::HttpUrlProxyAdapter class.
description: |
  Paperclip gem provides multiple ways a file can be uploaded to a web server.
  The vulnerability affects two of Paperclip’s IO adapters that accept URLs as
  attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are
  used, Paperclip acts as a proxy and downloads the file from the website URI
  that is passed in. The library does not perform any validation to protect
  against Server Side Request Forgery (SSRF) exploits by default. This may allow
  a remote attacker to access information about internal network resources.
cvss_v2: 7.5
patched_versions:
  - ">= 5.2.0"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2017-0889
    - https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4