Miggo Logo

CVE-2021-33564: Dragonfly contains remote code execution vulnerability

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.99629%
Published
6/2/2021
Updated
8/25/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
dragonflyrubygems< 1.4.01.4.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper argument handling in ImageMagick command generation. The commit diff shows removal of direct shell command construction in generators/convert.rb and introduction of a secure Commands module. Pre-patch versions used vulnerable patterns like content.shell_update { |old, new| "convert #{user_input} #{new}" } where user_input contained injection payloads. The CWE-88 mapping confirms argument injection via command delimiters in these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*n *r*um*nt inj**tion vuln*r**ility in t** *r**on*ly **m ***or* *.*.* *or Ru*y *llows r*mot* *tt**k*rs to r*** *n* writ* to *r*itr*ry *il*s vi* * *r**t** URL w**n t** `v*ri*y_url` option is *is**l**. T*is m*y l*** to *o** *x**ution. T** pro*l*m o**ur

Reasoning

T** vuln*r**ility st*ms *rom improp*r *r*um*nt **n*lin* in Im***M**i*k *omm*n* **n*r*tion. T** *ommit *i** s*ows r*mov*l o* *ir**t s**ll *omm*n* *onstru*tion in **n*r*tors/*onv*rt.r* *n* intro*u*tion o* * s**ur* *omm*n*s mo*ul*. Pr*-p*t** v*rsions us