Vulnerabilities > CVE-2024-22049 - Exposure of Resource to Wrong Sphere vulnerability in John Nunemaker Httparty
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
LOW Availability impact
NONE Summary
httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
- https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
- https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
- https://github.com/advisories/GHSA-5pq7-52mg-hr42
- https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42
- https://lists.fedoraproject.org/archives/list/[email protected]/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
- https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html