ADVISORIES

• OSVDB-110439
• Vendor Advisory

GEM

dragonfly

PATCHED VERSIONS

• >= 1.0.7

DESCRIPTION

Dragonfly Gem for Ruby contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

RELATED

• https://github.com/markevans/dragonfly/compare/v1.0.6...v1.0.7
• https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193
• https://www.mend.io/vulnerability-database/WS-2014-0016
• http://osvdb.org/show/osvdb/110439