Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
9.8
CVSSv3

CVE-2021-33564

Published: 29/05/2021 Updated: 10/06/2021
CVSS v2 Base Score: 6.8 | Impact Score: 6.4 | Exploitability Score: 8.6
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 606
Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P
Subscribe to Dragonfly Project

Vulnerability Summary

An argument injection vulnerability in the Dragonfly gem prior to 1.4.0 for Ruby allows remote malicious users to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

dragonfly project dragonfly

Github Repositories

https://github.com/markevans/dragonfly

A Ruby gem for on-the-fly processing - suitable for image uploading in Rails, Sinatra and much more!

Dragonfly Hello!! Dragonfly is a highly customizable ruby gem for handling images and other attachments and is already in use on thousands of websites If you want to generate image thumbnails in Rails class User < ActiveRecord::Base # model dragonfly_accessor :photo end <%= image_tag @userphotothumb('300x200#&

https://github.com/mlr0p/CVE-2021-33564

Argument Injection in Dragonfly Ruby Gem

CVE-2021-33564 PoC Exploit script for CVE-2021-33564 (Argument Injection in Dragonfly Ruby Gem) Usage Arbitrary File Read python3 pocpy -u <target_url>/system/refinery/images -r /etc/passwd Arbitrary File Write python3 pocpy -u <target_url>/system/refinery/images -w public/testtxt -c testtxt -lu <local_url> F

References

CWE-88https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5https://github.com/mlr0p/CVE-2021-33564https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yamlhttps://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/https://github.com/markevans/dragonfly/issues/513https://nvd.nist.govhttps://github.com/markevans/dragonfly
CVSSv3
CVSSv2
CVSSv3
VMScore
Recommendations:
race conditionCVE-2024-4249CVE-2024-4244CVE-2023-20198TCPCVE-2022-48648CVE-2022-48636CVE-2024-21345SQL
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook