FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

dragonfly -- argument injection

Affected packages
rubygem-dragonfly < 2.4.0

Details

VuXML ID c9e2a1a7-caa1-11eb-904f-14dae9d5a9d2
Discovery 2021-05-24
Entry 2021-06-11

NVD reports:

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

References

CVE Name CVE-2021-33564
URL https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564
URL https://github.com/mlr0p/CVE-2021-33564
URL https://nvd.nist.gov/vuln/detail/CVE-2021-33564
URL https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/