Description

The Paperclip gem provides easy file attachment management for ActiveRecord. The Paperclip library has a concept of 'IO adapters' that provide multiple ways a 'file' can be passed to the Paperclip library.

The vulnerability affects two of Paperclip's IO adapters that accept URLs as attachment data:

  • lib/paperclip/io_adapters/http_url_proxy_adapter.rb
  • lib/paperclip/io_adapters/uri_adapter.rb

When these adapters are used, Paperclip acts as a proxy and downloads the file from the website URI that is passed in.

The 'http_url_proxy_adapter.rb' is invoked if the provided file/attachment data starts with 'http://' or 'https://'. This behavior is not currently documented by Paperclip and the library does not perform any validation to protect against Server Side Request Forgery (SSRF) exploits.

SSRF as in Server Side Request Forgery is a vulnerability that allows an attacker to force server interfaces into sending packets initiated by the victim server to the local interface or to another server behind the firewall. Consult Web References for more information about this problem.

Remediation

You should update your Paperclip gem to version 5.2.0 to fix this vulnerability.

References

SSRF VS. BUSINESS-CRITICAL APPLICATIONS

Paperclip SSRF

Related Vulnerabilities

Oracle WebLogic Remote Code Execution via T3

SAP NW DI SSRF vulnerability (CVE-2021-33690)

Edge Side Include injection

WordPress Plugin WP Smart Import: Import any XML File to WordPress Server-Side Request Forgery (1.0.0)

RCE with Spring Data Commons

Severity

High

Classification

CVE-2017-0889 CWE-918 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Tags

SSRF Acumonitor