CVE-2021-21288: Server-Side Request Forgery (SSRF)

February 8, 2021 (updated February 12, 2021)

In CarrierWave, the download feature has an SSRF vulnerability, allowing attacks to provide DNS entries or IP addresses that are intended for internal use and gather information about the Intranet infrastructure of the platform.

References

nvd.nist.gov/vuln/detail/CVE-2021-21288

Code Behaviors & Features

Detect and mitigate CVE-2021-21288 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →