Candidate: CVE-2021-21288
PublicDate: 2021-02-08 20:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21288
 https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08
 https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08
 https://github.com/carrierwaveuploader/carrierwave/commit/012702eb3ba1663452aa025831caa304d1a665c0
 https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-fwcm-636p-68r5
 https://rubygems.org/gems/carrierwave/
Description:
 CarrierWave is an open-source RubyGem which provides a simple and flexible
 way to upload files from Ruby applications. In CarrierWave before versions
 1.3.2 and 2.1.1 the download feature has an SSRF vulnerability, allowing
 attacks to provide DNS entries or IP addresses that are intended for
 internal use and gather information about the Intranet infrastructure of
 the platform. This is fixed in versions 1.3.2 and 2.1.1.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N [4.3 MEDIUM]


Patches_ruby-carrierwave:
upstream_ruby-carrierwave: needs-triage
precise/esm_ruby-carrierwave: DNE
trusty_ruby-carrierwave: ignored (out of standard support)
trusty/esm_ruby-carrierwave: DNE
xenial_ruby-carrierwave: ignored (end of standard support, was needs-triage)
bionic_ruby-carrierwave: needs-triage
focal_ruby-carrierwave: needs-triage
groovy_ruby-carrierwave: ignored (reached end-of-life)
hirsute_ruby-carrierwave: ignored (reached end-of-life)
impish_ruby-carrierwave: needs-triage
jammy_ruby-carrierwave: needs-triage
devel_ruby-carrierwave: needs-triage