oss-sec mailing list archives
CVE request: DoS vulnerability in Ruby gem Paperclip
From: Bart de Water <bart () somnilocode nl>
Date: Mon, 14 Mar 2016 19:37:01 +0000
Hello, I believe there's a denial of service vulnerability in Paperclip version 4.2.2 through 4.3.5: it's possible to cause a DoS by uploading files with a spoofed media type, because it causes megabytes of logging (data from the mime-types gem) to be written. See https://cwe.mitre.org/data/definitions/779.html for more information. It seems to be introduced in this commit https://github.com/thoughtbot/paperclip/commit/9aee4112f36058cd28d5fe4a006d6981bd1eda57 in version 4.2.2 and it's fixed in 4.3.6 (released yesterday) with this pull request: https://github.com/thoughtbot/paperclip/pull/2126 Thanks, Bart de Water
Current thread:
- CVE request: DoS vulnerability in Ruby gem Paperclip Bart de Water (Mar 14)