CVE-2023-49090
Content-Type allowlist bypass vulnerability in carrierwave (RubyGems)
What is CVE-2023-49090 About?
This vulnerability is a Content-Type allowlist bypass in CarrierWave, specifically in `ContentTypeAllowlist`, which can lead to Cross-Site Scripting (XSS). The flaw results from partial matching of content types, enabling attackers to upload files with malicious content-types. Exploitation allows for client-side script execution in a victim's browser when the uploaded file is accessed.
Affected Software
- carrierwave
- >=3.0.0, <3.0.5
- <2.2.5
Technical Details
The vulnerability in CarrierWave::Uploader::ContentTypeAllowlist arises because the allowlisted_content_type? method performs a partial match when validating content types. An attacker can craft a content_type string that includes a disallowed content type (e.g., text/html) concatenated with an allowed type (e.g., image/png) such as text/html;image/png. Due to the partial match, the malicious content type is mistakenly considered valid if image/png is in the content_type_allowlist. Subsequently, if the attacker can control the Content-Type header during file delivery (even if the file data itself is a seemingly benign image but contains embedded script), and a user's browser opens this file, it will be rendered as text/html, leading to XSS.
What is the Impact of CVE-2023-49090?
Successful exploitation may allow attackers to execute arbitrary client-side scripts in a victim's browser, leading to session hijacking, data theft, or website defacement.
What is the Exploitability of CVE-2023-49090?
Exploitation is possible if an attacker can control both the Content-Type string provided to allowlisted_content_type? and, ideally, the Content-Type header during file delivery. This typically occurs in scenarios involving file uploads where the Content-Type is user-controlled or derived from user input. No specific authentication is required for the bypass itself, only the ability to upload files. The attack is remote. The complexity is moderate, as it requires understanding the partial matching logic and potentially controlling delivery headers. The likelihood of exploitation is higher in applications that rely solely on this flawed content type validation for security and allow user-uploaded content to be served directly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-49090?
Available Upgrade Options
- carrierwave
- <2.2.5 → Upgrade to 2.2.5
- carrierwave
- >=3.0.0, <3.0.5 → Upgrade to 3.0.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2023-49090
- https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3
- https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/carrierwave/CVE-2023-49090.yml
- https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
- https://github.com/carrierwaveuploader/carrierwave
- https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
- https://rubygems.org/gems/carrierwave/versions/3.0.5
- https://osv.dev/vulnerability/GHSA-gxhx-g4fq-49hj
What are Similar Vulnerabilities to CVE-2023-49090?
Similar Vulnerabilities: CVE-2023-28107 , CVE-2022-24792 , CVE-2021-36538 , CVE-2020-2521 , CVE-2015-2836
