CVE-2021-33564 – dragonfly

Package

Manager: gem
Name: dragonfly
Vulnerable Version: >=0 <1.4.0

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.91228 pctl0.99639

Details

Dragonfly contains remote code execution vulnerability An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the `verify_url` option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Metadata

Created: 2021-06-02T21:42:49Z
Modified: 2023-08-25T21:02:50Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j858-xp5v-f8xx/GHSA-j858-xp5v-f8xx.json
CWE IDs: ["CWE-88", "CWE-94"]
Alternative ID: GHSA-j858-xp5v-f8xx
Finding: F422
Auto approve: 1