==========================================================================
Ubuntu Security Notice USN-7497-1
May 07, 2025

ruby-carrierwave vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 24.04 LTS
- Ubuntu 22.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 LTS

Summary:

Several security issues were fixed in CarrierWave.

Software Description:
- ruby-carrierwave: Ruby file upload library

Details:

Rikita Ishikawa discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute
arbitrary code. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2021-21305)

Norihide Saito discovered that CarrierWave did not correctly sanitize
certain inputs. An attacker could possibly use this issue to execute a
cross-site scripting (XSS) attack. (CVE-2023-49090)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 24.04 LTS
  ruby-carrierwave                1.3.2-2ubuntu0.24.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 22.04 LTS
  ruby-carrierwave                1.3.2-2ubuntu0.22.04.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 20.04 LTS
  ruby-carrierwave                1.3.1-2ubuntu0.1~esm1
                                  Available with Ubuntu Pro

Ubuntu 18.04 LTS
  ruby-carrierwave                1.2.2-1ubuntu0.1~esm1
                                  Available with Ubuntu Pro

In general, a standard system update will make all the necessary changes.

References:
  https://ubuntu.com/security/notices/USN-7497-1
  CVE-2021-21305, CVE-2023-49090