ADVISORIES

• CVE-2021-33473 (NVD)
• GHSA-fj34-jhjx-xmvv
• Vendor Advisory

GEM

dragonfly

SEVERITY

CVSS v3.x: 9.1 (Critical)

PATCHED VERSIONS

• >= 1.4.0

DESCRIPTION

An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.

RELATED

• https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5