Home > Vulnerability Database > WS-2023-0001

Mend.io Vulnerability Database

WS-2023-0001

Good to know:

Date: January 3, 2023

httparty prior to 0.21.0 has multipart/form-data request tampering vulnerability, which is caused by Content-Disposition "filename" lack of escaping in httparty. By exploiting this problem, an attack that rewrites the "name" field according to the crafted file name, impersonating (overwriting) another field, and attacks that rewrite the filename extension at the time multipart/form-data is generated by tampering with the filename.

Language: Ruby

Severity Score

9.8

Related Resources (2)

Url: https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e

Url: https://www.mend.io/vulnerability-database/WS-2023-0001

Severity Score

9.8

Weakness Type (CWE)

External Control of Assumed-Immutable Web Parameter

CWE-472

Top Fix

Upgrade Version

Upgrade to version PactNet.Linux.x64 - no_fix;PactNet.OSX - no_fix;httparty - 0.21.0;PactNet.Linux.x86 - no_fix;PactNet.Windows - no_fix

Learn More

CVSS v3.1

Base Score:	9.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

WS-2023-0001

Good to know:

Date: January 3, 2023

Language: Ruby

Severity Score

Related Resources (2)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?