Description
Kayran has detected that the Version of Dragonfly in Ruby being used in vulnerable to an Arbitrary File Read/Write.
The problem occurs because the generate and process features mishandle use of the ‘ImageMagick’ convert utility.
CVE-2021-33564 is categorized as a ‘Improper Neutralization of Argument Delimiters in a Command’, or ‘Argument Injection’ vulnerability (CWE-88).
These Vulnerabilities occur when The software constructs a string for a command to executed by a separate component in another control sphere.
But in fact, it does not properly delimit the intended arguments, options, or switches within that command string.
By injecting an argument in the Dragonfly gem, remote attackers could read and write to arbitrary files via a crafted URLs when the ‘verify_url’ option is disabled.
This could lead to Codes being Executed.
That will assist attackers in obtaining sensitive information (Information Disclosure).
There’s a chance that this vulnerability will allow attackers to modify system files and information.
It could also lead to a decrease in performance and interruptions in the availability of resources.
Recommendation
To fix CVE-2021-33564, upgrade the version of Dragonfly being used to 1.4.0 or higher.
References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564
