CVE-2024-29034

ADVISORY - github

Summary

Impact

The vulnerability CVE-2023-49090 wasn't fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what's allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

Patches

Upgrade to 3.0.7 or 2.2.6.

Workarounds

Use the following monkey patch to let CarrierWave parse the Content-type by using Marcel::MimeType.for.

# For CarrierWave 3.x
CarrierWave::SanitizedFile.class_eval do
  def declared_content_type
    @declared_content_type ||
      if @file.respond_to?(:content_type) && @file.content_type
        Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
      end
  end
end

# For CarrierWave 2.x
CarrierWave::SanitizedFile.class_eval do
  def existing_content_type
    if @file.respond_to?(:content_type) && @file.content_type
      Marcel::MimeType.for(declared_type: @file.content_type.to_s.chomp)
    end
  end
end

References

OWASP - File Upload Cheat Sheet

EPSS Score⁠: 0.00075 (0.222)

Common Weakness Enumeration (CWE)

ADVISORY - nist

CWE-436⁠

Interpretation Conflict

CWE-79⁠

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - github

CWE-436⁠

Interpretation Conflict

CWE-79⁠

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADVISORY - gitlab

CWE-1035⁠

OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

CWE-436⁠

Interpretation Conflict

CWE-79⁠

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-937⁠

OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Impacted images

Advisories

NIST

CREATED

2 years ago

UPDATED

6 months ago

ADVISORY IDCVE-2024-29034⁠

EXPLOITABILITY SCORE

2.3

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-436⁠CWE-79⁠

CVSS SCORE

6.8medium

GitHub

CREATED

2 years ago

UPDATED

2 years ago

ADVISORY IDGHSA-vfmv-jfc5-pjjw⁠

EXPLOITABILITY SCORE

2.3

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-436⁠CWE-79⁠

CVSS SCORE

6.8medium

Debian

CREATED

2 years ago

UPDATED

7 days ago

ADVISORY IDCVE-2024-29034⁠

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

N/Alow

Ubuntu

CREATED

2 years ago

UPDATED

6 months ago

ADVISORY IDCVE-2024-29034⁠

EXPLOITABILITY SCORE

2.8

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

CVSS SCORE

6.1medium

GitLab

CREATED

2 years ago

UPDATED

2 years ago

ADVISORY ID

CVE-2024-29034

EXPLOITABILITY SCORE

2.3

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-436⁠CWE-79⁠CWE-937⁠

CVSS SCORE

6.8medium

Chainguard

CREATED

2 months ago

UPDATED

2 months ago

ADVISORY ID

CGA-84c4-qjff-w432

EXPLOITABILITY SCORE

-

EXPLOITS FOUND

-

COMMON WEAKNESS ENUMERATION (CWE)-

RATING UNAVAILABLE FROM ADVISORY