[USN-7497-1] CarrierWave vulnerabilities
Bruce Cable
bruce.cable at canonical.com
Wed May 7 01:52:13 UTC 2025
==========================================================================
Ubuntu Security Notice USN-7497-1
May 07, 2025
ruby-carrierwave vulnerabilities
==========================================================================
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS
Summary:
Several security issues were fixed in CarrierWave.
Software Description:
- ruby-carrierwave: Ruby file upload library
Details:
Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)
Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 24.04 LTS
ruby-carrierwave 1.3.2-2ubuntu0.24.04.1~esm1
Available with Ubuntu Pro
Ubuntu 22.04 LTS
ruby-carrierwave 1.3.2-2ubuntu0.22.04.1~esm1
Available with Ubuntu Pro
Ubuntu 20.04 LTS
ruby-carrierwave 1.3.1-2ubuntu0.1~esm1
Available with Ubuntu Pro
Ubuntu 18.04 LTS
ruby-carrierwave 1.2.2-1ubuntu0.1~esm1
Available with Ubuntu Pro
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-7497-1
CVE-2021-21305, CVE-2023-49090
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 665 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/ubuntu-security-announce/attachments/20250507/8c3bf1a1/attachment.sig>
More information about the ubuntu-security-announce
mailing list