cbcvebase.
CVE-2021-33564
published 2021-05-29

CVE-2021-33564: An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL…

PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
72.25%
99.4th percentile
An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

Affected

2 ranges
VendorProductVersion rangeFixed in
dragonfly_projectdragonfly< 1.4.01.4.0
dragonfly_projectdragonfly>= 0 < 1.4.01.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/system/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==
url/system/refinery/images/W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==
yara
rule CVE_2021_33564_Dragonfly_RCE { strings: $b64_path1 = "W1siZyIsICJjb252ZXJ0IiwgIi1zaXplIDF4MSAtZGVwdGggOCBncmF5Oi9ldGMvcGFzc3dkIiwgIm91dCJdXQ==" condition: $b64_path1 }
  • Detect exploitation attempts by matching the base64-encoded payload in HTTP GET request paths targeting /system/images/ or /system/refinery/images/ endpoints. The payload decodes to a Dragonfly 'generate' job invoking ImageMagick convert with arbitrary arguments.
  • A successful exploitation response will contain the /etc/passwd file content. Match HTTP 200 responses with the regex pattern 'root:.*:0:0:' in the body to confirm RCE/file-read.
  • The vulnerability is triggered via crafted URL parameters passed to the Dragonfly generate/process features when verify_url is disabled, causing argument injection into the ImageMagick convert utility.
  • Monitor for HTTP GET requests to /system/images/ or /system/refinery/images/ paths containing long base64-encoded strings that decode to JSON arrays starting with 'g' (generate) or 'p' (process) job types followed by 'convert' as the processor name.
  • ·The vulnerability only exists when the verify_url option is disabled in the Dragonfly configuration. Installations with verify_url enabled are not affected by this attack vector.
  • ·Affected versions are Dragonfly gem before 1.4.0 for Ruby. The fix was introduced in v1.4.0; ensure the gem is updated to at least this version.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.