CVE-2024-22049 - OpenCVE

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
John Nunemaker	Httparty

Configuration 1 [-]

cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://github.com/advisories/GHSA-5pq7-52mg-hr42
https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42

History

No history.

MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published: 2024-01-04T20:19:02.547Z

Updated: 2024-08-01T22:35:34.900Z

Reserved: 2024-01-04T18:44:53.108Z

Link: CVE-2024-22049

Vulnrichment

No data.

NVD

Status : Modified

Published: 2024-01-04T21:15:10.013

Modified: 2024-01-23T19:15:08.283

Link: CVE-2024-22049

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22049", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2024-01-04T18:44:53.108Z", "datePublished": "2024-01-04T20:19:02.547Z", "dateUpdated": "2024-08-01T22:35:34.900Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://rubygems.org", "defaultStatus": "unaffected", "packageName": "httparty", "versions": [{"lessThanOrEqual": "0.20.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.</p>"}], "value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\n\n"}], "problemTypes": [{"descriptions": [{"cweId": "CWE-472", "description": "CWE-472 External Control of Assumed-Immutable Web Parameter", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2024-01-04T20:19:02.547Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"}, {"tags": ["patch"], "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"}, {"tags": ["related"], "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"}, {"tags": ["third-party-advisory"], "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"}, {"tags": ["third-party-advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"}], "source": {"discovery": "INTERNAL"}, "title": "httparty Multipart/Form-Data Request Tampering Vulnerability"}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:35:34.900Z"}, "title": "CVE Program Container", "references": [{"tags": ["vendor-advisory", "x_transferred"], "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"}, {"tags": ["patch", "x_transferred"], "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"}, {"tags": ["related", "x_transferred"], "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"}, {"tags": ["third-party-advisory", "x_transferred"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*", "matchCriteriaId": "7AB0E617-C4C9-43D8-BC21-30529152AD78", "versionEndExcluding": "0.21.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\n\n"}, {"lang": "es", "value": "httparty anterior a 0.21.0 es afectado por una vulnerabilidad de par\u00e1metro web supuestamente inmutable. Un atacante remoto y no autenticado puede proporcionar un par\u00e1metro de filename manipulado durante las cargas de datos de multipart/form-data, lo que podr\u00eda dar lugar a que se escriban nombres de archivos controlados por el atacante."}], "id": "CVE-2024-22049", "lastModified": "2024-01-23T19:15:08.283", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-01-04T21:15:10.013", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit"], "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch"], "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Patch", "Vendor Advisory"], "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"}, {"source": "disclosure@vulncheck.com", "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"}, {"source": "disclosure@vulncheck.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"}, {"source": "disclosure@vulncheck.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"}, {"source": "disclosure@vulncheck.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-668"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-472"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}