GHSA-j858-xp5v-f8xx

Source

https://github.com/advisories/GHSA-j858-xp5v-f8xx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j858-xp5v-f8xx/GHSA-j858-xp5v-f8xx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-j858-xp5v-f8xx

Aliases

CVE-2021-33564

Published

2021-06-02T21:42:49Z

Modified

2024-02-16T08:14:53.365593Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Dragonfly contains remote code execution vulnerability

Details

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Database specific

{
    "nvd_published_at": "2021-05-29T14:15:00Z",
    "cwe_ids": [
        "CWE-88",
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-01T16:59:54Z"
}

References

Affected packages

RubyGems / dragonfly

Package

Name: dragonfly
Purl: pkg:gem/dragonfly

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.4.0

Affected versions

0.*

0.1.0

0.1.1

0.1.4

0.1.5

0.1.6

0.2.1

0.3.0

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.6.0

0.6.1

0.6.2

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.5

0.7.6

0.7.7

0.8.0

0.8.1

0.8.2

0.8.4

0.8.5

0.8.6

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

1.*

1.0

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.0.11

1.0.12

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.2.0

1.2.1

1.3.0