QwikSec

Security Database

CVE

CWE

Training

CVE-2021-33564

Published: May 29, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/markevans/dragonfly/issues/513

x_refsource_MISC

https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5

x_refsource_MISC

https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0

x_refsource_MISC

https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yaml

x_refsource_MISC

https://github.com/mlr0p/CVE-2021-33564

x_refsource_MISC

https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.