OSVDB-110439 (dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution

Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution

Published: August 25, 2014

SECURITY IDENTIFIERS

OSVDB: OSVDB-110439
Vendor Advisory: https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193

GEM

dragonfly

PATCHED VERSIONS

>= 1.0.7

DESCRIPTION

Dragonfly Gem for Ruby contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

https://github.com/markevans/dragonfly/compare/v1.0.6...v1.0.7
https://security.snyk.io/vuln/SNYK-RUBY-DRAGONFLY-20193
https://www.mend.io/vulnerability-database/WS-2014-0016
http://osvdb.org/show/osvdb/110439

RubySec

OSVDB-110439 (dragonfly): Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution

Dragonfly Gem for Ruby Image Uploading & Processing Remote Command Execution

SECURITY IDENTIFIERS

GEM

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories