Detections
Analytics
Dragonfly Ruby Gem < 1.4.0 Argument Injection Vulnerability
critical Web App Scanning Plugin ID 112974
Language:
Synopsis
Dragonfly Ruby Gem < 1.4.0 Argument Injection VulnerabilityDescription
Dragonfly is a popular ruby library used for handling images on websites to generate image thumbnails, text images or managing attachments. When the `verify_urls` option is disabled, an attacker can leverage the vulnerability to inject malicious arguments to shell commands and achieve file read and write, or remote code execution on the target application.Solution
As an immediate workaround, ensure that the verify_urls option is enabled. As the exploitation of the vulnerability remains possible if the attacker retrieves the application secret, it is recommended to update the Dragonfly ruby gem to version 1.4.0 or above to mitigate this issue.See Also
https://github.com/markevans/dragonfly
https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
Plugin Details
Severity: Critical
ID: 112974
Type: remote
Family: Component Vulnerability
Published: 9/14/2021
Updated: 9/14/2021
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 7.4
CVSS v2
Risk Factor: Medium
Base Score: 6.8
Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2021-33564
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2021-33564
Vulnerability Information
CPE: cpe:2.3:a:dragonfly_project:dragonfly:*:*:*:*:*:ruby:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Reference Information
CVE: CVE-2021-33564
CWE: 88
OWASP: 2010-A1, 2013-A1, 2013-A9, 2017-A1, 2017-A9, 2021-A3, 2021-A6
WASC: Improper Input Handling
DISA STIG: APSC-DV-002560, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2)
ISO: 27001-A.14.2.5
NIST: sp800_53-CM-6b, sp800_53-SI-10
OWASP API: 2019-API7, 2019-API8, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-5.2.5