CarrierWave Content-Type Allowlist Bypass Vulnerability Leading to XSS

A Content-Type allowlist bypass vulnerability has been identified in CarrierWave, a file upload solution for Ruby web frameworks like Rails and Sinatra. This vulnerability affects versions prior to 3.0.7 and prior to 2.2.6. The issue arises when uploading files to object storage, such as Amazon S3, where it's possible to manipulate the Content-Type value. By sending multiple values separated by commas, a bypass can occur, allowing an unauthorized Content-Type to be interpreted by browsers. This bypassed value could potentially be exploited to execute cross-site scripting (XSS) attacks.

Impact

Exploitation of this vulnerability could lead to cross-site scripting (XSS) attacks, where an attacker could inject malicious scripts that are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, upload a file using CarrierWave to an object storage service like Amazon S3. During the upload, set the Content-Type header to include multiple values separated by commas. This will bypass the allowlist validation and could be used to inject a script that executes as a cross-site scripting (XSS) attack.

Remediation

Users are advised to upgrade to CarrierWave version 3.0.7 or 2.2.6. For those unable to upgrade, a monkey patch can be applied to parse the Content-Type using Marcel::MimeType.