CVE-2021-33473: Arbitrary file write in dragonfly

June 2, 2022 (updated October 27, 2022)

An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.

References

github.com/advisories/GHSA-fj34-jhjx-xmvv
github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
github.com/markevans/dragonfly/issues/513
nvd.nist.gov/vuln/detail/CVE-2021-33473

Code Behaviors & Features

Detect and mitigate CVE-2021-33473 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →