Ruby Dragonfly – CVE-2021-33564

Description

Kayran has detected that the Version of Dragonfly in Ruby being used in vulnerable to an Arbitrary File Read/Write.
The problem occurs because the generate and process features mishandle use of the ‘ImageMagick’ convert utility.

CVE-2021-33564 is categorized as a ‘Improper Neutralization of Argument Delimiters in a Command’, or ‘Argument Injection’ vulnerability (CWE-88).
These Vulnerabilities occur when The software constructs a string for a command to executed by a separate component in another control sphere.
But in fact, it does not properly delimit the intended arguments, options, or switches within that command string.

By injecting an argument in the Dragonfly gem, remote attackers could read and write to arbitrary files via a crafted URLs when the ‘verify_url’ option is disabled.
This could lead to Codes being Executed.

That will assist attackers in obtaining sensitive information (Information Disclosure).
There’s a chance that this vulnerability will allow attackers to modify system files and information.
It could also lead to a decrease in performance and interruptions in the availability of resources.

Recommendation

To fix CVE-2021-33564, upgrade the version of Dragonfly being used to 1.4.0 or higher.

References

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564

https://cwe.mitre.org/data/definitions/88.html

< Return to all Vulnerabilities

HAR Files

In this article, I’ll talk and explain about HAR Files, so if you don’t know what they are, or, what do we use them for,

Read More »

HTTP VS. HTTPS

You must have once wondered what HTTP means and what is the difference between that ugly word to HTTPS, and if not, then please read

Read More »