Arbitrary file write in dragonfly
Published: June 03, 2022
SECURITY IDENTIFIERS
- CVE: CVE-2021-33473 (NVD)
- GHSA: GHSA-fj34-jhjx-xmvv
- Vendor Advisory: https://github.com/markevans/dragonfly/issues/513
GEM
SEVERITY
CVSS v3.x: 9.1 (Critical)
PATCHED VERSIONS
>= 1.4.0
DESCRIPTION
An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.