cvelistv5 - cve-2024-22049

CVE-2024-22049 (GCVE-0-2024-22049)

Vulnerability from cvelistv5

Published

2024-01-04 20:19

Modified

2025-11-29 01:18

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE

CWE-472 - External Control of Assumed-Immutable Web Parameter

Summary

httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.

References

URL

Tags

disclosure@vulncheck.com	https://github.com/advisories/GHSA-5pq7-52mg-hr42	Exploit, Third Party Advisory
disclosure@vulncheck.com	https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43	Exploit
disclosure@vulncheck.com	https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e	Patch
disclosure@vulncheck.com	https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42	Exploit, Patch, Vendor Advisory
disclosure@vulncheck.com	https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
disclosure@vulncheck.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
disclosure@vulncheck.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
disclosure@vulncheck.com	https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-5pq7-52mg-hr42	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
af854a3a-2127-422b-91ae-364da2661108	https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
			Version: 0 ≤ 0.20.0

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-09-28T12:03:40.887Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
          },
          {
            "tags": [
              "patch",
              "x_transferred"
            ],
            "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
          },
          {
            "tags": [
              "related",
              "x_transferred"
            ],
            "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
          },
          {
            "tags": [
              "third-party-advisory",
              "x_transferred"
            ],
            "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 5.3,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-22049",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-09T23:58:32.687393Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-03T14:42:07.312Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://rubygems.org",
          "defaultStatus": "unaffected",
          "packageName": "httparty",
          "versions": [
            {
              "lessThanOrEqual": "0.20.0",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
                  "versionEndIncluding": "0.20.0",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003ehttparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\u003c/p\u003e"
            }
          ],
          "value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-472",
              "description": "CWE-472 External Control of Assumed-Immutable Web Parameter",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-29T01:18:47.199Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
        },
        {
          "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
        },
        {
          "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
        }
      ],
      "source": {
        "discovery": "INTERNAL"
      },
      "title": "httparty Multipart/Form-Data Request Tampering Vulnerability",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2024-22049",
    "datePublished": "2024-01-04T20:19:02.547Z",
    "dateReserved": "2024-01-04T18:44:53.108Z",
    "dateUpdated": "2025-11-29T01:18:47.199Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-22049\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2024-01-04T21:15:10.013\",\"lastModified\":\"2025-06-03T15:15:56.780\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\"},{\"lang\":\"es\",\"value\":\"httparty anterior a 0.21.0 es afectado por una vulnerabilidad de par\u00e1metro web supuestamente inmutable. Un atacante remoto y no autenticado puede proporcionar un par\u00e1metro de filename manipulado durante las cargas de datos de multipart/form-data, lo que podr\u00eda dar lugar a que se escriban nombres de archivos controlados por el atacante.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4},{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-472\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-668\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"0.21.0\",\"matchCriteriaId\":\"7AB0E617-C4C9-43D8-BC21-30529152AD78\"}]}]}],\"references\":[{\"url\":\"https://github.com/advisories/GHSA-5pq7-52mg-hr42\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/\",\"source\":\"disclosure@vulncheck.com\"},{\"url\":\"https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/advisories/GHSA-5pq7-52mg-hr42\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\"]},{\"url\":\"https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42\", \"tags\": [\"vendor-advisory\", \"x_transferred\"]}, {\"url\": \"https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e\", \"tags\": [\"patch\", \"x_transferred\"]}, {\"url\": \"https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\", \"tags\": [\"related\", \"x_transferred\"]}, {\"url\": \"https://github.com/advisories/GHSA-5pq7-52mg-hr42\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42\", \"tags\": [\"third-party-advisory\", \"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-09-28T12:03:40.887Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.3, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-22049\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-09T23:58:32.687393Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-05-09T23:58:34.250Z\"}}], \"cna\": {\"title\": \"httparty Multipart/Form-Data Request Tampering Vulnerability\", \"source\": {\"discovery\": \"INTERNAL\"}, \"affected\": [{\"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"0.20.0\"}], \"packageName\": \"httparty\", \"collectionURL\": \"https://rubygems.org\", \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e\", \"tags\": [\"patch\"]}, {\"url\": \"https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\", \"tags\": [\"related\"]}, {\"url\": \"https://github.com/advisories/GHSA-5pq7-52mg-hr42\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42\", \"tags\": [\"third-party-advisory\"]}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/\"}, {\"url\": \"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/\"}, {\"url\": \"https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html\"}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003ehttparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\u003c/p\u003e\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-472\", \"description\": \"CWE-472 External Control of Assumed-Immutable Web Parameter\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndIncluding\": \"0.20.0\", \"versionStartIncluding\": \"0\"}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2025-11-29T01:18:47.199Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-22049\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-11-29T01:18:47.199Z\", \"dateReserved\": \"2024-01-04T18:44:53.108Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2024-01-04T20:19:02.547Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

gsd-2024-22049

Vulnerability from gsd

Modified

2024-01-05 06:02

Details

Aliases

CVE-2024-22049

JSON

To clipboard

{
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2024-22049"
      ],
      "details": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\n\n",
      "id": "GSD-2024-22049",
      "modified": "2024-01-05T06:02:20.488565Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "disclosure@vulncheck.com",
        "ID": "CVE-2024-22049",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\n\n"
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "cweId": "CWE-472",
                "lang": "eng",
                "value": "CWE-472 External Control of Assumed-Immutable Web Parameter"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42",
            "refsource": "MISC",
            "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
          },
          {
            "name": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e",
            "refsource": "MISC",
            "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
          },
          {
            "name": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43",
            "refsource": "MISC",
            "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
          },
          {
            "name": "https://github.com/advisories/GHSA-5pq7-52mg-hr42",
            "refsource": "MISC",
            "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
          },
          {
            "name": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42",
            "refsource": "MISC",
            "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
          },
          {
            "name": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/",
            "refsource": "MISC",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
          },
          {
            "name": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html",
            "refsource": "MISC",
            "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
          }
        ]
      },
      "source": {
        "discovery": "INTERNAL"
      }
    },
    "nvd.nist.gov": {
      "cve": {
        "configurations": [
          {
            "nodes": [
              {
                "cpeMatch": [
                  {
                    "criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
                    "matchCriteriaId": "7AB0E617-C4C9-43D8-BC21-30529152AD78",
                    "versionEndExcluding": "0.21.0",
                    "vulnerable": true
                  }
                ],
                "negate": false,
                "operator": "OR"
              }
            ]
          }
        ],
        "descriptions": [
          {
            "lang": "en",
            "value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.\n\n"
          },
          {
            "lang": "es",
            "value": "httparty anterior a 0.21.0 es afectado por una vulnerabilidad de par\u00e1metro web supuestamente inmutable. Un atacante remoto y no autenticado puede proporcionar un par\u00e1metro de filename manipulado durante las cargas de datos de multipart/form-data, lo que podr\u00eda dar lugar a que se escriban nombres de archivos controlados por el atacante."
          }
        ],
        "id": "CVE-2024-22049",
        "lastModified": "2024-01-23T19:15:08.283",
        "metrics": {
          "cvssMetricV31": [
            {
              "cvssData": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              },
              "exploitabilityScore": 3.9,
              "impactScore": 1.4,
              "source": "nvd@nist.gov",
              "type": "Primary"
            }
          ]
        },
        "published": "2024-01-04T21:15:10.013",
        "references": [
          {
            "source": "disclosure@vulncheck.com",
            "tags": [
              "Exploit",
              "Third Party Advisory"
            ],
            "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
          },
          {
            "source": "disclosure@vulncheck.com",
            "tags": [
              "Exploit"
            ],
            "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
          },
          {
            "source": "disclosure@vulncheck.com",
            "tags": [
              "Patch"
            ],
            "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
          },
          {
            "source": "disclosure@vulncheck.com",
            "tags": [
              "Exploit",
              "Patch",
              "Vendor Advisory"
            ],
            "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
          },
          {
            "source": "disclosure@vulncheck.com",
            "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
          },
          {
            "source": "disclosure@vulncheck.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
          },
          {
            "source": "disclosure@vulncheck.com",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
          },
          {
            "source": "disclosure@vulncheck.com",
            "tags": [
              "Patch",
              "Third Party Advisory"
            ],
            "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
          }
        ],
        "sourceIdentifier": "disclosure@vulncheck.com",
        "vulnStatus": "Modified",
        "weaknesses": [
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-668"
              }
            ],
            "source": "nvd@nist.gov",
            "type": "Primary"
          },
          {
            "description": [
              {
                "lang": "en",
                "value": "CWE-472"
              }
            ],
            "source": "disclosure@vulncheck.com",
            "type": "Secondary"
          }
        ]
      }
    }
  }
}

fkie_cve-2024-22049

Vulnerability from fkie_nvd

Published

2024-01-04 21:15

Modified

2025-06-03 15:15

Severity ?

5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5.3 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

References

URL	Tags
disclosure@vulncheck.com	https://github.com/advisories/GHSA-5pq7-52mg-hr42	Exploit, Third Party Advisory
disclosure@vulncheck.com	https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43	Exploit
disclosure@vulncheck.com	https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e	Patch
disclosure@vulncheck.com	https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42	Exploit, Patch, Vendor Advisory
disclosure@vulncheck.com	https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
disclosure@vulncheck.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
disclosure@vulncheck.com	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
disclosure@vulncheck.com	https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/advisories/GHSA-5pq7-52mg-hr42	Exploit, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43	Exploit
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e	Patch
af854a3a-2127-422b-91ae-364da2661108	https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42	Exploit, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/
af854a3a-2127-422b-91ae-364da2661108	https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/
af854a3a-2127-422b-91ae-364da2661108	https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42	Patch, Third Party Advisory

Impacted products

	Vendor	Product	Version
	john_nunemaker	httparty	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:john_nunemaker:httparty:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "7AB0E617-C4C9-43D8-BC21-30529152AD78",
              "versionEndExcluding": "0.21.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written."
    },
    {
      "lang": "es",
      "value": "httparty anterior a 0.21.0 es afectado por una vulnerabilidad de par\u00e1metro web supuestamente inmutable. Un atacante remoto y no autenticado puede proporcionar un par\u00e1metro de filename manipulado durante las cargas de datos de multipart/form-data, lo que podr\u00eda dar lugar a que se escriban nombres de archivos controlados por el atacante."
    }
  ],
  "id": "CVE-2024-22049",
  "lastModified": "2025-06-03T15:15:56.780",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "nvd@nist.gov",
        "type": "Primary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.3,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 1.4,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2024-01-04T21:15:10.013",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ],
      "url": "https://github.com/advisories/GHSA-5pq7-52mg-hr42"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit"
      ],
      "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Patch",
        "Vendor Advisory"
      ],
      "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-472"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-668"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-5pq7-52mg-hr42

Vulnerability from github

Published

2023-01-03 13:36

Modified

2024-01-05 15:32

Severity ?

6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Summary

httparty has multipart/form-data request tampering vulnerability

Details

Impact

I found "multipart/form-data request tampering vulnerability" caused by Content-Disposition "filename" lack of escaping in httparty.

httparty/lib/httparty/request > body.rb > def generate_multipart

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

By exploiting this problem, the following attacks are possible

An attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field.
Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename

For example, this vulnerability can be exploited to generate the following Content-Disposition.

Normal Request example: normal input filename: abc.txt

generated normal header in multipart/form-data Content-Disposition: form-data; name="avatar"; filename="abc.txt"

Malicious Request example malicious input filename: overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt

generated malicious header in multipart/form-data: Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

The Abused Header has multiple name ( avatar & foo ) fields and the "filename" has been rewritten from *.txt to *.sh .

These problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request. I have confirmed that the attack succeeds, at least in the following frameworks

Spring (Java)
Ktor (Kotlin)
Ruby on Rails (Ruby)

The cause of this problem is the lack of escaping of the " (Double-Quote) character in Content-Disposition > filename.

WhatWG's HTML spec has an escaping requirement.

https://html.spec.whatwg.org/#multipart-form-data

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

Patches

As noted at the beginning of this section, encoding must be done as described in the HTML Spec.

https://html.spec.whatwg.org/#multipart-form-data

For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence %0A, 0x0D (CR) with %0D and 0x22 (") with %22. The user agent must not perform any other escapes.

Therefore, it is recommended that Content-Disposition be modified by either of the following

Before: Content-Disposition: attachment;filename="malicious.sh";dummy=.txt

After: Content-Disposition: attachment;filename="%22malicious.sh%22;dummy=.txt"

https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43

file_name.gsub('"', '%22')

Also, as for \r, \n, URL Encode is not done, but it is not newlines, so it seemed to be OK. However, since there may be omissions, it is safer to URL encode these as well, if possible. ( \r to %0A and \d to %0D )

PoC

PoC Environment

OS: macOS Monterey(12.3) Ruby ver: ruby 3.1.2p20 httparty ver: 0.20.0 (Python3 - HTTP Request Logging Server)

PoC procedure

(Linux or MacOS is required. This is because Windows does not allow file names containing " (double-quote) .)

Create Project $ mkdir my-app $ cd my-app $ gem install httparty
Create malicious file

$ touch 'overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt'

Generate Vuln code

$ vi example.rb

``` require 'httparty'

filename = 'overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt'

HTTParty.post('http://localhost:12345/', body: { name: 'Foo Bar', email: 'example@email.com', avatar: File.open(filename) } ) ```

Run Logging Server

I write Python code, but any method will work as long as you can see the HTTP Request Body. (e.g. Debugger, HTTP Logging Server, Packet Capture)

$ vi logging.py ``` from http.server import HTTPServer from http.server import BaseHTTPRequestHandler

class LoggingServer(BaseHTTPRequestHandler):

def do_POST(self):
    self.send_response(200)
    self.end_headers()
    self.wfile.write("ok".encode("utf-8"))

    content_length = int(self.headers['Content-Length'])
    post_data = self.rfile.read(content_length)
    print("POST request,\nPath: %s\nHeaders:\n%s\n\nBody:\n%s\n",
                 str(self.path), str(self.headers), post_data.decode('utf-8'))
    self.wfile.write("POST request for {}".format(self.path).encode('utf-8'))

ip = '127.0.0.1' port = 12345

server = HTTPServer((ip, port), LoggingServer) server.serve_forever() ```

$ python logging.py

Run & Logging server

$ run example.rb

Return Request Header & Body:

User-Agent: Ruby Content-Type: multipart/form-data; boundary=------------------------F857UcxRc2J1zFOz Connection: close Host: localhost:12345 Content-Length: 457

--------------------------F857UcxRc2J1zFOz Content-Disposition: form-data; name="name"

Foo Bar --------------------------F857UcxRc2J1zFOz Content-Disposition: form-data; name="email"

example@email.com --------------------------F857UcxRc2J1zFOz Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt" Content-Type: text/plain

abc --------------------------F857UcxRc2J1zFOz--

Content-Disposition:

Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"

name fields is duplicate (avator & foo)
filename & extension tampering ( .txt --> .sh )

References

I also include a similar report that I previously reported to Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=1556711
I will post some examples of frameworks that did not have problems as reference.

Golang https://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144

Spring https://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267

Symphony https://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133

For more information

If you have any questions or comments about this advisory: * Email us at kumagoro_alice@yahoo.co.jp

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.20.0"
      },
      "package": {
        "ecosystem": "RubyGems",
        "name": "httparty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-22049"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-472"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-03T13:36:46Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\nI found \"multipart/form-data request tampering vulnerability\" caused by Content-Disposition \"filename\" lack of escaping in httparty.\n\n`httparty/lib/httparty/request` \u003e `body.rb` \u003e `def generate_multipart`\n\nhttps://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\n\nBy exploiting this problem, the following attacks are possible\n\n* An attack that rewrites the \"name\" field according to the crafted file name, impersonating (overwriting) another field.\n* Attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename\n\nFor example, this vulnerability can be exploited to generate the following Content-Disposition.\n\n\u003e Normal Request example:\n\u003e normal input filename: `abc.txt`\n\u003e \n\u003e generated normal header in multipart/form-data\n\u003e `Content-Disposition: form-data; name=\"avatar\"; filename=\"abc.txt\"`\n \n\u003e Malicious Request example\n\u003e malicious input filename: `overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt`\n\u003e \n\u003e generated malicious header in multipart/form-data:\n\u003e `Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt\"`\n\nThe Abused Header has multiple name ( `avatar` \u0026 `foo` ) fields and the \"filename\" has been rewritten from `*.txt` to `*.sh` .\n\nThese problems can result in successful or unsuccessful attacks, depending on the behavior of the parser receiving the request.\nI have confirmed that the attack succeeds, at least in the following frameworks\n\n * Spring (Java)\n * Ktor (Kotlin)\n * Ruby on Rails (Ruby)\n\nThe cause of this problem is the lack of escaping of the `\"` (Double-Quote) character in Content-Disposition \u003e filename.\n\nWhatWG\u0027s HTML spec has an escaping requirement.\n\nhttps://html.spec.whatwg.org/#multipart-form-data\n\n\u003e For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence `%0A`, 0x0D (CR) with `%0D` and 0x22 (\") with `%22`. The user agent must not perform any other escapes.\n\n\n\n### Patches\n\nAs noted at the beginning of this section, encoding must be done as described in the HTML Spec.\n\nhttps://html.spec.whatwg.org/#multipart-form-data\n\n\u003e For field names and filenames for file fields, the result of the encoding in the previous bullet point must be escaped by replacing any 0x0A (LF) bytes with the byte sequence `%0A`, 0x0D (CR) with `%0D` and 0x22 (\") with `%22`. The user agent must not perform any other escapes.\n\nTherefore, it is recommended that Content-Disposition be modified by either of the following\n\n\u003e Before:\n\u003e `Content-Disposition: attachment;filename=\"malicious.sh\";dummy=.txt`\n\n\u003e After:\n\u003e `Content-Disposition: attachment;filename=\"%22malicious.sh%22;dummy=.txt\"`\n\nhttps://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43\n\n```\nfile_name.gsub(\u0027\"\u0027, \u0027%22\u0027)\n```\n\nAlso, as for `\\r`, `\\n`, URL Encode is not done, but it is not newlines, so it seemed to be OK.\nHowever, since there may be omissions, it is safer to URL encode these as well, if possible.\n( `\\r` to `%0A` and `\\d` to `%0D` ) \n\n### PoC\n\n#### PoC Environment\n\nOS: macOS Monterey(12.3)\nRuby ver: ruby 3.1.2p20 \nhttparty ver: 0.20.0\n(Python3 - HTTP Request Logging Server)\n\n### PoC procedure\n\n\n(Linux or MacOS is required. \nThis is because Windows does not allow file names containing `\"` (double-quote) .)\n\n1. Create Project \n```\n$ mkdir my-app\n$ cd my-app\n$ gem install httparty\n```\n\n2. Create malicious file\n\n```\n$ touch \u0027overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt\u0027\n```\n\n3. Generate Vuln code\n\n```\n$ vi example.rb\n```\n\n```\nrequire \u0027httparty\u0027\n\nfilename = \u0027overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt\u0027\n\nHTTParty.post(\u0027http://localhost:12345/\u0027,\n  body: {\n    name: \u0027Foo Bar\u0027,\n    email: \u0027example@email.com\u0027,\n    avatar: File.open(filename)\n  }\n)\n```\n\n\n4. Run Logging Server\n\nI write Python code, but any method will work as long as you can see the HTTP Request Body.\n(e.g. Debugger, HTTP Logging Server, Packet Capture) \n\n\n$ vi logging.py\n```\nfrom http.server import HTTPServer\nfrom http.server import BaseHTTPRequestHandler\n\nclass LoggingServer(BaseHTTPRequestHandler):\n\n    def do_POST(self):\n        self.send_response(200)\n        self.end_headers()\n        self.wfile.write(\"ok\".encode(\"utf-8\"))\n\n        content_length = int(self.headers[\u0027Content-Length\u0027])\n        post_data = self.rfile.read(content_length)\n        print(\"POST request,\\nPath: %s\\nHeaders:\\n%s\\n\\nBody:\\n%s\\n\",\n                     str(self.path), str(self.headers), post_data.decode(\u0027utf-8\u0027))\n        self.wfile.write(\"POST request for {}\".format(self.path).encode(\u0027utf-8\u0027))\n\nip = \u0027127.0.0.1\u0027\nport = 12345\n\nserver = HTTPServer((ip, port), LoggingServer)\nserver.serve_forever()\n```\n\n$ python logging.py\n\n\n5. Run \u0026 Logging server\n\n```\n$ run example.rb\n```\n\nReturn Request Header \u0026 Body:\n\n\u003e User-Agent: Ruby\n\u003e Content-Type: multipart/form-data; boundary=------------------------F857UcxRc2J1zFOz\n\u003e Connection: close\n\u003e Host: localhost:12345\n\u003e Content-Length: 457\n\u003e \n\u003e  --------------------------F857UcxRc2J1zFOz\n\u003e Content-Disposition: form-data; name=\"name\"\n\u003e \n\u003e Foo Bar\n\u003e --------------------------F857UcxRc2J1zFOz\n\u003e Content-Disposition: form-data; name=\"email\"\n\u003e \n\u003e example@email.com\n\u003e --------------------------F857UcxRc2J1zFOz\n\u003e Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt\"\n\u003e Content-Type: text/plain\n\u003e \n\u003e abc\n\u003e --------------------------F857UcxRc2J1zFOz--\n\n\nContent-Disposition:\n\u003e Content-Disposition: form-data; name=\"avatar\"; filename=\"overwrite_name_field_and_extension.sh\"; name=\"foo\"; dummy=\".txt\"\n\n* name fields is duplicate (avator \u0026 foo)\n* filename \u0026 extension tampering ( .txt --\u003e .sh )\n\n\n\n\n### References\n\n1. I also include a similar report that I previously reported to Firefox.\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1556711\n\n\n2. I will post some examples of frameworks that did not have problems as reference.\n\nGolang\nhttps://github.com/golang/go/blob/e0e0c8fe9881bbbfe689ad94ca5dddbb252e4233/src/mime/multipart/writer.go#L144\n\nSpring\nhttps://github.com/spring-projects/spring-framework/blob/4cc91e46b210b4e4e7ed182f93994511391b54ed/spring-web/src/main/java/org/springframework/http/ContentDisposition.java#L259-L267\n\nSymphony\nhttps://github.com/symfony/symfony/blob/123b1651c4a7e219ba59074441badfac65525efe/src/Symfony/Component/Mime/Header/ParameterizedHeader.php#L128-L133\n\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Email us at [kumagoro_alice@yahoo.co.jp](mailto:kumagoro_alice@yahoo.co.jp)\n",
  "id": "GHSA-5pq7-52mg-hr42",
  "modified": "2024-01-05T15:32:51Z",
  "published": "2023-01-03T13:36:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-22049"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jnunemaker/httparty"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/httparty/CVE-2024-22049.yml"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "httparty has multipart/form-data request tampering vulnerability"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2024-22049 (GCVE-0-2024-22049)

Vulnerability from cvelistv5

gsd-2024-22049

Vulnerability from gsd

fkie_cve-2024-22049

Vulnerability from fkie_nvd

ghsa-5pq7-52mg-hr42

Vulnerability from github

Impact

Patches

PoC

PoC Environment

PoC procedure

References

For more information

Tags

Sightings

Nomenclature