{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-21T12:48:35.807","vulnerabilities":[{"cve":{"id":"CVE-2023-49090","sourceIdentifier":"security-advisories@github.com","published":"2023-11-29T15:15:08.900","lastModified":"2024-11-21T08:32:48.110","vulnStatus":"Modified","cveTags":[],"descriptions":[{"lang":"en","value":"CarrierWave is a solution for file uploads for Rails, Sinatra and other Ruby web frameworks. CarrierWave has a Content-Type allowlist bypass vulnerability, possibly leading to XSS. The validation in `allowlisted_content_type?` determines Content-Type permissions by performing a partial match. If the `content_type` argument of `allowlisted_content_type?` is passed a value crafted by the attacker, Content-Types not included in the `content_type_allowlist` will be allowed. This issue has been patched in versions 2.2.5 and 3.0.5."},{"lang":"es","value":"CarrierWave es una solución para carga de archivos para Rails, Sinatra y otros frameworks web Ruby. CarrierWave tiene una vulnerabilidad de omisión de lista permitida de tipo de contenido, que posiblemente conduzca a XSS. La validación en `allowlisted_content_type?` determina los permisos de tipo de contenido realizando una coincidencia parcial. Si al argumento `content_type` de `allowlisted_content_type?` se le pasa un valor creado por el atacante, se permitirán los tipos de contenido no incluidos en `content_type_allowlist`. Este problema se solucionó en las versiones 2.2.5 y 3.0.5."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N","baseScore":6.8,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"NONE","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":4.0},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N","baseScore":6.1,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":2.7}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*","versionEndExcluding":"2.2.5","matchCriteriaId":"24759284-5E91-43AE-80B4-ED77679DAE19"},{"vulnerable":true,"criteria":"cpe:2.3:a:carrierwave_project:carrierwave:*:*:*:*:*:ruby:*:*","versionStartIncluding":"3.0.0","versionEndExcluding":"3.0.5","matchCriteriaId":"E3FB153B-EC7F-411D-89EF-99633A3D4784"}]}]}],"references":[{"url":"https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj","source":"security-advisories@github.com","tags":["Vendor Advisory"]},{"url":"https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"]},{"url":"https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Vendor Advisory"]}]}}]}