-
-
Notifications
You must be signed in to change notification settings - Fork 218
/
CVE-2017-0889.yml
26 lines (26 loc) · 1.06 KB
/
CVE-2017-0889.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
---
gem: paperclip
cve: 2017-0889
ghsa: 5jcf-c5rg-rmm8
url: https://github.com/thoughtbot/paperclip/pull/2435
title:
Paperclip ruby gem suffers from a Server-Side Request Forgery (SSRF)
vulnerability in the Paperclip::UriAdapter and
Paperclip::HttpUrlProxyAdapter class.
date: 2018-01-23
description: |
Paperclip gem provides multiple ways a file can be uploaded to a web server.
The vulnerability affects two of Paperclip’s IO adapters that accept URLs as
attachment data (UriAdapter and HttpUrlProxyAdapter). When these adapters are
used, Paperclip acts as a proxy and downloads the file from the website URI
that is passed in. The library does not perform any validation to protect
against Server Side Request Forgery (SSRF) exploits by default. This may allow
a remote attacker to access information about internal network resources.
cvss_v2: 7.5
cvss_v3: 9.8
patched_versions:
- ">= 5.2.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2017-0889
- https://github.com/thoughtbot/paperclip/commit/4ebedfbd11d20d03ed03a1274ed281eee62715d4