From d821bf162550302abd1fa1fe15007f3012b76f32 Mon Sep 17 00:00:00 2001
From: Al Snow <jasnow@hotmail.com>
Date: Thu, 30 Nov 2023 15:29:51 -0500
Subject: [PATCH] GHSA Sync: Added 1 brand new advisory

---
 gems/carrierwave/CVE-2023-49090.yml | 50 +++++++++++++++++++++++++++++
 1 file changed, 50 insertions(+)
 create mode 100644 gems/carrierwave/CVE-2023-49090.yml

diff --git a/gems/carrierwave/CVE-2023-49090.yml b/gems/carrierwave/CVE-2023-49090.yml
new file mode 100644
index 0000000000..1980250d0a
--- /dev/null
+++ b/gems/carrierwave/CVE-2023-49090.yml
@@ -0,0 +1,50 @@
+---
+gem: carrierwave
+cve: 2023-49090
+ghsa: gxhx-g4fq-49hj
+url: https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-g4fq-49hj
+title: CarrierWave Content-Type allowlist bypass vulnerability,
+  possibly leading to XSS
+date: 2023-11-29
+description: |
+  ###Impact
+  [CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb)
+  has a Content-Type allowlist bypass vulnerability, possibly leading to XSS.
+
+  The validation in `allowlisted_content_type?` determines Content-Type
+  permissions by performing a partial match.
+  If the `content_type` argument of `allowlisted_content_type?` is passed
+  a value crafted by the attacker, Content-Types not included in the
+  `content_type_allowlist` will be allowed.
+
+  In addition, by setting the Content-Type configured by the attacker
+  at the time of file delivery, it is possible to cause XSS on the
+  user's browser when the uploaded file is opened.
+
+  ### Patches
+  Upgrade to [3.0.5](https://rubygems.org/gems/carrierwave/versions/3.0.5)
+  or [2.2.5](https://rubygems.org/gems/carrierwave/versions/2.2.5).
+
+  ### Workarounds
+  When validating with `allowlisted_content_type?` in
+  [CarrierWave::Uploader::ContentTypeAllowlist](https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb),
+  forward match(`\\A`) the Content-Type set in `content_type_allowlist`,
+  preventing unintentional permission of `text/html;image/png` when
+  you want to allow only `image/png` in `content_type_allowlist`.
+
+  ### References
+  [OWASP - File Upload Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/File_Upload_Cheat_Sheet.html#content-type-validation)
+cvss_v3: 6.8
+patched_versions:
+  - "~> 2.2.5"
+  - ">= 3.0.5"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-49090
+    - https://github.com/carrierwaveuploader/carrierwave/security/advisories/GHSA-gxhx-gq-49hj
+    - https://github.com/carrierwaveuploader/carrierwave/commit/39b282db5c1303899b3d3381ce8a837840f983b5
+    - https://github.com/carrierwaveuploader/carrierwave/commit/863d425c76eba12c3294227b39018f6b2dccbbf3
+    - https://github.com/carrierwaveuploader/carrierwave/blob/master/lib/carrierwave/uploader/content_type_allowlist.rb
+    - https://rubygems.org/gems/carrierwave/versions/2.2.5
+    - https://rubygems.org/gems/carrierwave/versions/3.0.5
+    - https://github.com/advisories/GHSA-gxhx-g4fq-49hj