CVE-2021-33564

Description

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

NVD
Severity: CRITICAL
CVE ID: CVE-2021-33564
CVSS Score: 9.8
CVSS Metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Refrence: NVD MITRE

Proof Of Concept

Nuclei Templates for CVE-2021-33564

Refrence: Project Discovery GitHub

mlr0p

Argument Injection in Dragonfly Ruby Gem

Refrence: GitHub

dorkerdevil

Argument Injection in Dragonfly Ruby Gem exploit (backup)

Refrence: GitHub

Description​

Proof Of Concept​

Description

Proof Of Concept