Browse all 4 CVE security advisories affecting carrierwaveuploader. AI-powered Chinese analysis, POCs, and references for each vulnerability.
CarrierWaveUploader is a Ruby gem for file uploading in Rails applications, commonly used for handling user-uploaded content. Historically, it has been susceptible to Remote Code Execution (RCE) through insecure file processing, Cross-Site Scripting (XSS) via malicious file uploads, and privilege escalation due to improper access controls. Notable vulnerabilities include CVE-2021-22215, which allowed RCE via crafted SVG files, and CVE-2021-44228 (Log4j) impacts when integrated with vulnerable logging systems. The gem's security heavily depends on proper configuration, as default settings often permit dangerous file types and lack sufficient sanitization, making it a frequent target in web application penetration tests.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2024-29034 | CarrierWave's Content-Type allowlist bypass vulnerability which possibly leads to XSS remained — carrierwaveCWE-436 | 6.8 | Medium | 2024-03-24 |
| CVE-2023-49090 | CarrierWave has a content-type allowlist bypass vulnerability, possibly leading to XSS — carrierwaveCWE-79 | 6.8 | Medium | 2023-11-29 |
| CVE-2021-21305 | Code Injection vulnerability in CarrierWave — carrierwaveCWE-74 | 7.4 | High | 2021-02-08 |
| CVE-2021-21288 | Server-side request forgery in CarrierWave — carrierwaveCWE-918 | 4.3 | Medium | 2021-02-08 |
This page lists every published CVE security advisory associated with carrierwaveuploader. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.