CVE-2017-0889 - OpenCVE

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:N/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Thoughtbot	Paperclip

Configuration 1 [-]

cpe:2.3:a:thoughtbot:paperclip:*:*:*:*:*:ruby:*:*

References

Link	Resource
https://github.com/thoughtbot/paperclip/pull/2435	Issue Tracking Patch Third Party Advisory
https://hackerone.com/reports/209430	Permissions Required
https://hackerone.com/reports/713	Issue Tracking Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: hackerone

Published: 2017-04-21T00:00:00

Updated: 2017-11-13T16:57:01

Reserved: 2016-11-30T00:00:00

Link: CVE-2017-0889

JSON object: View

NVD Information

Status : Modified

Published: 2017-11-13T17:29:00.193

Modified: 2019-10-09T23:21:08.150

Link: CVE-2017-0889

JSON object: View

Redhat Information

No data.

CWE

CWE-918

{"containers": {"cna": {"affected": [{"product": "paperclip ruby gem", "vendor": "thoughtbot", "versions": [{"status": "affected", "version": "All versions since 3.1.4"}]}], "datePublic": "2017-04-21T00:00:00", "descriptions": [{"lang": "en", "value": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF) (CWE-918)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-11-13T16:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/209430"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/713"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2017-04-21T00:00:00", "ID": "CVE-2017-0889", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "paperclip ruby gem", "version": {"version_data": [{"version_value": "All versions since 3.1.4"}]}}]}, "vendor_name": "thoughtbot"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server-Side Request Forgery (SSRF) (CWE-918)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/209430", "refsource": "MISC", "url": "https://hackerone.com/reports/209430"}, {"name": "https://github.com/thoughtbot/paperclip/pull/2435", "refsource": "CONFIRM", "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"name": "https://hackerone.com/reports/713", "refsource": "MISC", "url": "https://hackerone.com/reports/713"}]}}}}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-0889", "datePublished": "2017-04-21T00:00:00", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2017-11-13T16:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thoughtbot:paperclip:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "36D3092D-A988-486C-99A8-B0D53FA84A32", "versionEndExcluding": "5.2.0", "versionStartIncluding": "3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."}, {"lang": "es", "value": "La gema de Ruby Paperclip en su versi\u00f3n 3.1.4 y siguientes sufre de una vulnerabilidad Server-Side Request Forgery (SSRF) en la clase Paperclip::UriAdapter. Los atacantes podr\u00edan ser capaces de acceder a informaci\u00f3n sobre recursos de la red interna."}], "id": "CVE-2017-0889", "lastModified": "2019-10-09T23:21:08.150", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-13T17:29:00.193", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"source": "support@hackerone.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/209430"}, {"source": "support@hackerone.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/713"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "support@hackerone.com", "type": "Secondary"}]}