5.3

CVE-2024-22049

Exploit

httparty Multipart/Form-Data Request Tampering Vulnerability

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
DebianDebian Linux Version10.0
DebianDebian Linux Version11.0
FedoraprojectFedora Version38
FedoraprojectFedora Version39
JnunemakerHttparty SwPlatformruby Version < 0.21.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.29% 0.665
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
134c704f-9b21-4f2e-91b3-4a467353bcc0 5.3 3.9 1.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE-472 External Control of Assumed-Immutable Web Parameter

The web application does not sufficiently verify inputs that are assumed to be immutable but are actually externally controllable, such as hidden form fields.

https://github.com/advisories/GHSA-5pq7-52mg-hr42
Third Party Advisory
Exploit
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
Exploit
https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
Patch
https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
Patch
Vendor Advisory
Exploit
https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
Third Party Advisory
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
Mailing List
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
Mailing List
https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html
Third Party Advisory
Mailing List