CVE-2021-21305 – CarrierWave versions before 1.3.2 and 2.1.1 con... (How to Fix)

Q: What is the severity of CVE-2021-21305?

CVE-2021-21305 has a CVSS score of 7.4 (HIGH). CarrierWave versions before 1.3.2 and 2.1.1 contain a code injection vulnerability in the #manipulate! method that allows remote code execution. Attackers can craft malicious strings that get executed as Ruby code when applications supply untrusted inputs to mutation options. This affects any Ruby application using vulnerable CarrierWave versions for file uploads.

📋 TL;DR

CarrierWave versions before 1.3.2 and 2.1.1 contain a code injection vulnerability in the #manipulate! method that allows remote code execution. Attackers can craft malicious strings that get executed as Ruby code when applications supply untrusted inputs to mutation options. This affects any Ruby application using vulnerable CarrierWave versions for file uploads.

💻 Affected Systems

Products:

CarrierWave RubyGem

Versions: All versions before 1.3.2 and all 2.x versions before 2.1.1

Operating Systems: All operating systems running Ruby applications with CarrierWave

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires application code to use the #manipulate! method with untrusted inputs for mutation options (:read/:write).

📦 What is this software?

Carrierwave by Carrierwave Project

View all CVEs affecting Carrierwave →

Carrierwave by Carrierwave Project

View all CVEs affecting Carrierwave →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Remote code execution with application user privileges, potentially leading to data exfiltration, backdoor installation, or service disruption.

🟢

If Mitigated

Limited impact if input validation prevents untrusted data from reaching the vulnerable method, though risk remains if controls are bypassed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the application to process untrusted inputs through the vulnerable method, which is common in file upload scenarios.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.2 for 1.x branch, 2.1.1 for 2.x branch

Vendor Advisory: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4

Restart Required: Yes

Instructions:

1. Update Gemfile to specify 'gem "carrierwave", "~> 1.3.2"' for 1.x or 'gem "carrierwave", "~> 2.1.1"' for 2.x. 2. Run 'bundle update carrierwave'. 3. Restart the Ruby application server.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to ensure mutation options (:read/:write) only contain trusted, whitelisted values.

🧯 If You Can't Patch

Implement strict input validation and sanitization for all mutation option parameters
Disable or restrict file upload functionality until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock or run 'bundle show carrierwave' to see installed version. If version is <1.3.2 (for 1.x) or <2.1.1 (for 2.x), the system is vulnerable.

Check Version:

bundle show carrierwave

Verify Fix Applied:

After updating, verify with 'bundle show carrierwave' that version is >=1.3.2 (1.x) or >=2.1.1 (2.x). Test file upload functionality to ensure it still works.

📡 Detection & Monitoring

Log Indicators:

Unusual Ruby code execution errors in application logs
Suspicious file upload attempts with malformed parameters

Network Indicators:

Unusual outbound connections from application servers following file uploads

SIEM Query:

source="application.log" AND ("manipulate!" OR "CarrierWave" OR "RCE")

📊 Metadata

CVE ID: CVE-2021-21305

CVSS v3 Score: 7.4 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L

CWE: CWE-74

Published: February 8, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08 Release Notes,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08 Release Notes,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 Patch,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 Exploit,Third Party Advisory
https://rubygems.org/gems/carrierwave Product,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#132---2021-02-08 Release Notes,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/blob/master/CHANGELOG.md#211---2021-02-08 Release Notes,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/commit/387116f5c72efa42bc3938d946b4c8d2f22181b7 Patch,Third Party Advisory
https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-cf3w-g86h-35x4 Exploit,Third Party Advisory
https://rubygems.org/gems/carrierwave Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-21305, you might also want to check these: