CVE-2023-49090
Content-Type allowlist bypass vulnerability, possibly leading to XSS (Content-Type 許可リストのバイパスとXSS(クロスサイトスクリプティング)の可能性)
Impact
CarrierWave::Uploader::ContentTypeAllowlist has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
The validation in allowlisted_content_type?
determines Content-Type permissions by performing a partial match.
If the content_type
argument of allowlisted_content_type?
is passed a value crafted by the attacker, Content-Types not included in the content_type_allowlist
will be allowed.
In addition, by setting the Content-Type configured by the attacker at the time of file delivery, it is possible to cause XSS on the user's browser when the uploaded file is opened.
Patches
Workarounds
When validating with allowlisted_content_type?
in CarrierWave::Uploader::ContentTypeAllowlist , forward match(\A
) the Content-Type set in content_type_allowlist
, preventing unintentional permission of text/html;image/png
when you want to allow only image/png
in content_type_allowlist
.