An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.
References
Configurations
History
21 Nov 2024, 06:09
Type | Values Removed | Values Added |
---|---|---|
References | () https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5 - Patch, Third Party Advisory | |
References | () https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0 - Patch, Third Party Advisory | |
References | () https://github.com/markevans/dragonfly/issues/513 - Issue Tracking, Third Party Advisory | |
References | () https://github.com/mlr0p/CVE-2021-33564 - Exploit, Third Party Advisory | |
References | () https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yaml - Exploit, Third Party Advisory | |
References | () https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/ - Exploit, Third Party Advisory |
10 Jun 2021, 15:20
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:dragonfly_project:dragonfly:*:*:*:*:*:ruby:*:* | |
References | (MISC) https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yaml - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/mlr0p/CVE-2021-33564 - Exploit, Third Party Advisory | |
References | (MISC) https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/ - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0 - Patch, Third Party Advisory | |
References | (MISC) https://github.com/markevans/dragonfly/issues/513 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5 - Patch, Third Party Advisory | |
CWE | CWE-88 | |
CVSS |
v2 : v3 : |
v2 : 6.8
v3 : 9.8 |
29 May 2021, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-05-29 14:15
Updated : 2024-11-21 06:09
NVD link : CVE-2021-33564
Mitre link : CVE-2021-33564
CVE.ORG link : CVE-2021-33564
JSON object : View
Products Affected
dragonfly_project
- dragonfly
CWE
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')