CVE-2024-22049

NameCVE-2024-22049
Descriptionhttparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3716-1, DLA-3900-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-httparty (PTS)bullseye0.18.1-2vulnerable
bullseye (security)0.18.1-2+deb11u1fixed
sid, trixie, bookworm0.21.0-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-httpartysourcebuster0.16.2+dfsg1-3+deb10u1DLA-3716-1
ruby-httpartysourcebullseye0.18.1-2+deb11u1DLA-3900-1
ruby-httpartysource(unstable)0.21.0-1

Notes

https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e (v0.21.0)
Search for package or bug name: Reporting problems