{"id":"CVE-2024-22049","details":"httparty before 0.21.0 is vulnerable to an assumed-immutable web parameter vulnerability. A remote and unauthenticated attacker can provide a crafted filename parameter during multipart/form-data uploads which could result in attacker controlled filenames being written.","aliases":["GHSA-5pq7-52mg-hr42"],"modified":"2026-04-10T05:09:44.592283Z","published":"2024-01-04T21:15:10.013Z","related":["GHSA-5pq7-52mg-hr42"],"references":[{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00043.html"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2024/01/msg00011.html"},{"type":"FIX","url":"https://github.com/jnunemaker/httparty/commit/cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"},{"type":"FIX","url":"https://github.com/jnunemaker/httparty/security/advisories/GHSA-5pq7-52mg-hr42"},{"type":"FIX","url":"https://vulncheck.com/advisories/vc-advisory-GHSA-5pq7-52mg-hr42"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4LDGAVPR4KB72V4GGQCWODEAI72QZI3V/"},{"type":"ARTICLE","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IOWECZPJY6JZIA5FSBJR77KCRDXWDZDA/"},{"type":"EVIDENCE","url":"https://github.com/advisories/GHSA-5pq7-52mg-hr42"},{"type":"EVIDENCE","url":"https://github.com/jnunemaker/httparty/blob/4416141d37fd71bdba4f37589ec265f55aa446ce/lib/httparty/request/body.rb#L43"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jnunemaker/httparty","events":[{"introduced":"0"},{"fixed":"e731057ebc297eb8a750e866b7762e869dea3087"},{"fixed":"cdb45a678c43e44570b4e73f84b1abeb5ec22b8e"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.21.0"}]}}],"versions":["v0","v0.10.0","v0.10.1","v0.10.2","v0.11.0","v0.12.0","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.13.4","v0.13.5","v0.13.6","v0.13.7","v0.14.0","v0.15.0","v0.15.1","v0.15.2","v0.15.3","v0.15.4","v0.15.5","v0.15.6","v0.15.7","v0.16.0","v0.16.1","v0.16.2","v0.16.4","v0.17.0","v0.17.1","v0.17.2","v0.17.3","v0.18.0","v0.18.1","v0.19.0","v0.19.1","v0.20.0","v0.5.0","v0.5.1","v0.5.2","v0.6.0","v0.6.1","v0.7.0","v0.7.1","v0.7.2","v0.7.3","v0.7.4","v0.7.5","v0.7.6","v0.7.7","v0.7.8","v0.8.0","v0.8.1","v0.8.2","v0.8.3","v0.9.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]},{"events":[{"introduced":"0"},{"last_affected":"39"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-22049.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}