{"containers": {"cna": {"affected": [{"product": "paperclip ruby gem", "vendor": "thoughtbot", "versions": [{"status": "affected", "version": "All versions since 3.1.4"}]}], "datePublic": "2017-04-21T00:00:00", "descriptions": [{"lang": "en", "value": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-918", "description": "Server-Side Request Forgery (SSRF) (CWE-918)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-11-13T16:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/209430"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/713"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2017-04-21T00:00:00", "ID": "CVE-2017-0889", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "paperclip ruby gem", "version": {"version_data": [{"version_value": "All versions since 3.1.4"}]}}]}, "vendor_name": "thoughtbot"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Server-Side Request Forgery (SSRF) (CWE-918)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/209430", "refsource": "MISC", "url": "https://hackerone.com/reports/209430"}, {"name": "https://github.com/thoughtbot/paperclip/pull/2435", "refsource": "CONFIRM", "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"name": "https://hackerone.com/reports/713", "refsource": "MISC", "url": "https://hackerone.com/reports/713"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:18:06.454Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/209430"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/713"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-0889", "datePublished": "2017-11-13T17:00:00Z", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2024-09-16T19:21:11.237Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:thoughtbot:paperclip:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "36D3092D-A988-486C-99A8-B0D53FA84A32", "versionEndExcluding": "5.2.0", "versionStartIncluding": "3.1.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."}, {"lang": "es", "value": "La gema de Ruby Paperclip en su versi\u00f3n 3.1.4 y siguientes sufre de una vulnerabilidad Server-Side Request Forgery (SSRF) en la clase Paperclip::UriAdapter. Los atacantes podr\u00edan ser capaces de acceder a informaci\u00f3n sobre recursos de la red interna."}], "id": "CVE-2017-0889", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-13T17:29:00.193", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"source": "support@hackerone.com", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/209430"}, {"source": "support@hackerone.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/713"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/thoughtbot/paperclip/pull/2435"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/209430"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://hackerone.com/reports/713"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-918"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-918"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "paperclip: SSRF vulnerability in the Paperclip::UriAdapter class", "id": "1513542", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1513542"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "status": "draft"}, "cwe": "CWE-918", "details": ["Paperclip ruby gem version 3.1.4 and later suffers from a Server-SIde Request Forgery (SSRF) vulnerability in the Paperclip::UriAdapter class. Attackers may be able to access information about internal network resources."], "name": "CVE-2017-0889", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "paperclip", "product_name": "CloudForms Management Engine 5"}], "public_date": "2017-04-21T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-0889\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-0889"], "statement": "Red Hat CloudForms 4shipped the vulnerable paperclip ruby gem, however this ruby gem was removed in CloudForms 5.8. As this issue has been addressed in CloudForms 5.8, and the issue is only rated moderate Red Hat Security will not be fixing this issue in CloudForms 5.7.", "threat_severity": "Moderate"}