Dragonfly Gem Argument Injection Vulnerability

Dragonfly Gem Argument Injection Vulnerability

CVE-2021-33564 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Learn more about our Web Application Penetration Testing UK.