rubysec · postmodern · Jan 7, 2024 · Jan 7, 2024 · Jan 7, 2024
diff --git a/gems/httparty/CVE-2024-22049.yml b/gems/httparty/CVE-2024-22049.yml
@@ -0,0 +1,28 @@
+---
+gem: httparty
+cve: 2024-22049
+ghsa: 5pq7-52mg-hr42
+url: https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
+title: httparty has multipart/form-data request tampering vulnerability
+date: 2023-01-03
+description: |
+  HTTP multipart/form-data request tampering vulnerability in httparty < 0.20.0,
+  due to lack of proper escaping of double quotes within the filename attribute
+  of the Content-Disposition header. If the Content-Disposition header is set to
+  "form-data" and contains the "filename" attribute, and the "filename"
+  attribute contains a double quote followed by additional attributes, then
+  those attributes will be parsed as Content-Disposition attributes and will
+  override the Content-Disposition header's previous attributes.
+
+      Content-Disposition: form-data; name="avatar"; filename="overwrite_name_field_and_extension.sh"; name="foo"; dummy=".txt"
+
+cvss_v3: 6.5
+patched_versions:
+  - ">= 0.21.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2024-22049
+    - https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42
+    - https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e
+    - https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43
+    - https://github.com/advisories/GHSA-5pq7-52mg-hr42