CVE-2024-29034: CarrierWave content-Type allowlist bypass vulnerability which possibly leads to XSS remained

March 25, 2024

The vulnerability CVE-2023-49090 wasn’t fully addressed.

This vulnerability is caused by the fact that when uploading to object storage, including Amazon S3, it is possible to set a Content-Type value that is interpreted by browsers to be different from what’s allowed by content_type_allowlist, by providing multiple values separated by commas.

This bypassed value can be used to cause XSS.

References

github.com/advisories/GHSA-vfmv-jfc5-pjjw
github.com/carrierwaveuploader/carrierwave
github.com/carrierwaveuploader/carrierwave/commit/25b1c800d45ef8e78dc445ebe3bd8a6e3f0a3477
github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-vfmv-jfc5-pjjw
nvd.nist.gov/vuln/detail/CVE-2024-29034

Code Behaviors & Features

Detect and mitigate CVE-2024-29034 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →