CVE-2021-33564 Scanner
Detects 'Argument Injection' vulnerability in Dragonfly (open source project) affects v. before 1.4.0.
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
30 days
Scan only one
URL
Toolbox
-
Dragonfly is a Ruby gem that is used for on-the-fly processing and uploading of images. It provides a simple interface to crop, resize, and animate images. It can handle all input and output file types, making it a versatile tool. It also supports integrations with popular data storage services like Amazon S3 and Rackspace, which allows users to store and retrieve images easily.
CVE-2021-33564 is a vulnerability detected in the Dragonfly gem before version 1.4.0. It is an argument injection vulnerability that is caused due to the mishandling of the ImageMagick convert utility in the generate and process features. When the "verify_url" option is disabled, remote attackers can exploit this vulnerability to read and write arbitrary files, which could lead to code execution.
If this vulnerability is exploited, attackers can gain unauthorized access to sensitive files and data. They can upload and execute arbitrary code on systems and servers, which can lead to system crashes, data breaches, and theft of intellectual property. These attacks can also result in the disruption of critical business operations, causing significant financial and reputational damages to organizations.
In conclusion, digital asset security is crucial for organizations that want to protect their intellectual property and sensitive data. With s4e.io's pro features, users can easily and quickly learn about vulnerabilities in their digital assets. These pro features provide customized security alerts and comprehensive reports that allow users to take proactive measures to prevent attacks. By being aware of the latest vulnerabilities and taking precautionary measures, organizations can ensure the safety and integrity of their digital assets.
REFERENCES
- https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
- https://github.com/markevans/dragonfly/compare/v1.3.0...v1.4.0
- https://github.com/markevans/dragonfly/issues/513
- https://github.com/mlr0p/CVE-2021-33564
- https://raw.githubusercontent.com/projectdiscovery/nuclei-templates/master/cves/2021/CVE-2021-33564.yaml
- https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/
