oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request: DoS vulnerability in Ruby gem Paperclip

From: Bart de Water <bart () somnilocode nl>
Date: Mon, 14 Mar 2016 19:37:01 +0000
Hello,

I believe there's a denial of service vulnerability in Paperclip version
4.2.2 through 4.3.5: it's possible to cause a DoS by uploading files with a
spoofed media type, because it causes megabytes of logging (data from the
mime-types gem) to be written. See
https://cwe.mitre.org/data/definitions/779.html for more information.

It seems to be introduced in this commit
https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57
in
version 4.2.2 and it's fixed in 4.3.6 (released yesterday) with this pull
request: https://github.com/thoughtbot/paperclip/pull/2126

Thanks,
Bart de Water
Previous By Date Next
Previous By Thread Next

Current thread: