CVE-2024-22049: 
Ruby vulnerability analysis and mitigation

CVE-2024-22049 affects httparty versions before 0.21.0, exposing a vulnerability in multipart/form-data request handling. The vulnerability was discovered in January 2024 and allows remote, unauthenticated attackers to manipulate filename parameters during multipart/form-data uploads (GitHub Advisory, NVD).

The vulnerability stems from improper escaping of the Content-Disposition 'filename' field in multipart/form-data requests. The issue occurs in the generate_multipart function where filename parameters lack proper escaping for special characters like double quotes, carriage returns, and line feeds. The vulnerability has a CVSS v3.1 base score of 5.3 (Medium) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

An attacker can exploit this vulnerability to perform two types of attacks: rewriting the 'name' field by crafting malicious filenames to impersonate or overwrite other fields, and manipulating filename extensions during multipart/form-data generation. This vulnerability has been confirmed to work against multiple frameworks including Spring (Java), Ktor (Kotlin), and Ruby on Rails (Ruby) (GitHub Advisory).

The vulnerability has been fixed in httparty version 0.21.0. The fix involves properly escaping special characters in the filename field according to the HTML specification, replacing 0x0A (LF) with %0A, 0x0D (CR) with %0D, and 0x22 (") with %22. Users are recommended to upgrade to version 0.21.0 or later (GitHub Patch).

Multiple Linux distributions have released security updates to address this vulnerability, including Debian with DLA-3716-1 and DLA-3900-1, and Fedora with updates for versions 38 and 39 (Debian LTS, Fedora Update).