Tuesday, May 6, 2025

[USN-7497-1] CarrierWave vulnerabilities

-----BEGIN PGP SIGNATURE-----

wsD5BAABCAAjFiEEkd98mdFcnQdP7vQkuGrtzot7pOcFAmgavM0FAwAAAAAACgkQuGrtzot7pOdd
dQv8DmQgkyXMwqcaqyukV8XGM6aeVQmrio51nnI6nYSHB8EKrpHdaO3Sv+lH34qTOwxXETu3XMqO
vJLgEUD2LZf5G+VoTtbZKI7FEaY1j4hHM7yB3uGa22af23JP+y5r3lc75ZnkouA1M/zaTcgpDKQm
yfqytV+hA6Aly+2/BN/y+9nYVqe//9XDQxP/cf7tZ41t2uqh46seHo8OaE5Dnta+FADddaFb+uMf
FkevVwFsDFe4P8KUsLtTxmWlA+9KDrLJzAq7DUcKyFGZZQo80q7KgOFfmsCBRJs8zLsOJfYpF1qt
6KrkkRXcoMJpZDP+QsoWnhsrftlwBpA9AymtS+o2TKC88uuBqooNu6nFzjDEwJWu/X+HL8aZoJjd
R+LlthzWABq1cj4ejZBdDaYsli/juRTyYuGDVnNgLZK98hFrGQpyfDTyScRXAa0SI2NYqfboCO+/
YIA0Sl4rupcIccqUk1Cw3cGearJaK5gp6JCHbdf0PijV4/iuWTrsD9TWVeJy
=+7/y
-----END PGP SIGNATURE-----
==========================================================================
Ubuntu Security Notice USN-7497-1
May 07, 2025

ruby-carrierwave vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in CarrierWave.

Software Description:
- ruby-carrierwave: Ruby file upload library

Details:

Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)

Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  ruby-carrierwave                1.3.2-2ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  ruby-carrierwave                1.3.2-2ubuntu0.22.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  ruby-carrierwave                1.3.1-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ruby-carrierwave                1.2.2-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7497-1
  CVE-2021-21305, CVE-2023-49090

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)