Ruby Dragonfly – CVE-2021-33564

Description

Kayran has detected that the Version of Dragonfly in Ruby being used in vulnerable to an Arbitrary File Read/Write.
The problem occurs because the generate and process features mishandle use of the ‘ImageMagick’ convert utility.

CVE-2021-33564 is categorized as a ‘Improper Neutralization of Argument Delimiters in a Command’, or ‘Argument Injection’ vulnerability (CWE-88).
These Vulnerabilities occur when The software constructs a string for a command to executed by a separate component in another control sphere.
But in fact, it does not properly delimit the intended arguments, options, or switches within that command string.

By injecting an argument in the Dragonfly gem, remote attackers could read and write to arbitrary files via a crafted URLs when the ‘verify_url’ option is disabled.
This could lead to Codes being Executed.

That will assist attackers in obtaining sensitive information (Information Disclosure).
There’s a chance that this vulnerability will allow attackers to modify system files and information.
It could also lead to a decrease in performance and interruptions in the availability of resources.

Recommendation

To fix CVE-2021-33564, upgrade the version of Dragonfly being used to 1.4.0 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564

https://cwe.mitre.org/data/definitions/88.html

< Return to all Vulnerabilities

Exposing the GIT

Let’s start with defining the meaning of GIT. GIT – is an open-source system which we use as a tool to store data and information

Read More »

The Cloud

I’m pretty sure there isn’t a single adult in the world who hasn’t at least heard of The Cloud. Explaining “The Cloud” in 2022 may

Read More »

HAR Files

In this article, I’ll talk and explain about HAR Files, so if you don’t know what they are, or, what do we use them for,

Read More »