Vulnerabilities > CVE-2017-0889 - Server-Side Request Forgery (SSRF) vulnerability in Thoughtbot Paperclip

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

thoughtbot

CWE-918

critical

NVD

Published: 2017-11-13

Updated: 2019-10-09

Summary

Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources.

Vulnerable Configurations

Part	Description	Count
Application	Thoughtbot Thoughtbot Paperclip 3.1.4 Thoughtbot Paperclip 3.2.0 Thoughtbot Paperclip 3.2.1 Thoughtbot Paperclip 3.3.0 Thoughtbot Paperclip 3.3.1 Thoughtbot Paperclip 3.4.0 Thoughtbot Paperclip 3.4.1 Thoughtbot Paperclip 3.4.2 Thoughtbot Paperclip 3.5.0 Thoughtbot Paperclip 3.5.1 Thoughtbot Paperclip 3.5.1.1 Thoughtbot Paperclip 3.5.2 Thoughtbot Paperclip 3.5.3 Thoughtbot Paperclip 3.5.4 Thoughtbot Paperclip 4.0.0 Thoughtbot Paperclip 4.1.0 Thoughtbot Paperclip 4.1.1 Thoughtbot Paperclip 4.2.0 Thoughtbot Paperclip 4.2.1 Thoughtbot Paperclip 4.2.2 Thoughtbot Paperclip 4.2.3 Thoughtbot Paperclip 4.2.4 Thoughtbot Paperclip 4.3.0 Thoughtbot Paperclip 4.3.1 Thoughtbot Paperclip 4.3.2 Thoughtbot Paperclip 4.3.3 Thoughtbot Paperclip 4.3.4 Thoughtbot Paperclip 4.3.5 Thoughtbot Paperclip 4.3.6 Thoughtbot Paperclip 4.3.7 Thoughtbot Paperclip 5.0.0 Thoughtbot Paperclip 5.1.0	34

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References