GHSA-j858-xp5v-f8xx

Suggest an improvement
Source
https://github.com/advisories/GHSA-j858-xp5v-f8xx
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/06/GHSA-j858-xp5v-f8xx/GHSA-j858-xp5v-f8xx.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-j858-xp5v-f8xx
Aliases
Published
2021-06-02T21:42:49Z
Modified
2024-02-15T05:42:29.446807Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Dragonfly contains remote code execution vulnerability
Details

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Database specific
{
    "nvd_published_at": "2021-05-29T14:15:00Z",
    "cwe_ids": [
        "CWE-88",
        "CWE-94"
    ],
    "severity": "CRITICAL",
    "github_reviewed": true,
    "github_reviewed_at": "2021-06-01T16:59:54Z"
}
References

Affected packages

RubyGems / dragonfly

Package

Name
dragonfly
Purl
pkg:gem/dragonfly

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.4.0

Affected versions

0.*

0.1.0
0.1.1
0.1.4
0.1.5
0.1.6
0.2.1
0.3.0
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.6.0
0.6.1
0.6.2
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.5
0.7.6
0.7.7
0.8.0
0.8.1
0.8.2
0.8.4
0.8.5
0.8.6
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15

1.*

1.0
1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.0.11
1.0.12
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.2.0
1.2.1
1.3.0