CVE - CVE-2024-22049

CVE-ID
CVE-2024-22049	Learn more at National Vulnerability Database (NVD) • CVSS Severity Rating • Fix Information • Vulnerable Software Versions • SCAP Mappings • CPE Information
Description
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
References
Note: References are provided for the convenience of the reader to help distinguish between vulnerabilities. The list is not intended to be complete.
FEDORA:FEDORA-2024-2648dd2e0e URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/ FEDORA:FEDORA-2024-a5aad4eede URL:https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/ MISC:https://github.com/advisories/GHSA-5pq7-52mg-hr42 URL:https://github.com/advisories/GHSA-5pq7-52mg-hr42 MISC:https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43 URL:https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43 MISC:https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e URL:https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e MISC:https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 URL:https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42 MISC:https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42 URL:https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42 MLIST:[debian-lts-announce] 20240123 [SECURITY] [DLA 3716-1] ruby-httparty security update URL:https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
Assigning CNA
VulnCheck
Date Record Created
20240104	Disclaimer: The record creation date may reflect when the CVE ID was allocated or reserved, and does not necessarily indicate when this vulnerability was discovered, shared with the affected vendor, publicly disclosed, or updated in CVE.
Phase (Legacy)
Assigned (20240104)
Votes (Legacy)

Comments (Legacy)

Proposed (Legacy)
N/A
This is an record on the CVE List, which provides common identifiers for publicly known cybersecurity vulnerabilities.
Search CVE Using Keywords: You can also search by reference using the CVE Reference Maps.
For More Information: CVE Request Web Form (select "Other" from dropdown)