cve/2021/CVE-2021-33564.md

### [CVE-2021-33564](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564)
![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)
![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)

### Description

An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

### POC

#### Reference
- https://github.com/mlr0p/CVE-2021-33564
- https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/

#### Github
- https://github.com/ARPSyndicate/cvemon
- https://github.com/ARPSyndicate/kenzer-templates
- https://github.com/BLACKHAT-SSG/MindMaps2
- https://github.com/Lazykakarot1/Learn-365
- https://github.com/NaInSec/CVE-PoC-in-GitHub
- https://github.com/PwnAwan/MindMaps2
- https://github.com/SYRTI/POC_to_review
- https://github.com/WhooAmii/POC_to_review
- https://github.com/dorkerdevil/CVE-2021-33564
- https://github.com/harsh-bothra/learn365
- https://github.com/markevans/dragonfly
- https://github.com/mlr0p/CVE-2021-33564
- https://github.com/nomi-sec/PoC-in-GitHub
- https://github.com/soosmile/POC
- https://github.com/trhacknon/Pocingit
- https://github.com/zecool/cve
Update Sat May 25 21:48:12 CEST 2024 2024-05-25 21:48:12 +02:00			`### [CVE-2021-33564](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33564)`
			`![](https://img.shields.io/static/v1?label=Product&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Version&message=n%2Fa&color=blue)`
			`![](https://img.shields.io/static/v1?label=Vulnerability&message=n%2Fa&color=brighgreen)`

			`### Description`

			`An argument injection vulnerability in the Dragonfly gem before 1.4.0 for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.`

			`### POC`

			`#### Reference`
			`- https://github.com/mlr0p/CVE-2021-33564`
			`- https://zxsecurity.co.nz/research/argunment-injection-ruby-dragonfly/`

			`#### Github`
			`- https://github.com/ARPSyndicate/cvemon`
			`- https://github.com/ARPSyndicate/kenzer-templates`
			`- https://github.com/BLACKHAT-SSG/MindMaps2`
			`- https://github.com/Lazykakarot1/Learn-365`
			`- https://github.com/NaInSec/CVE-PoC-in-GitHub`
			`- https://github.com/PwnAwan/MindMaps2`
			`- https://github.com/SYRTI/POC_to_review`
			`- https://github.com/WhooAmii/POC_to_review`
			`- https://github.com/dorkerdevil/CVE-2021-33564`
			`- https://github.com/harsh-bothra/learn365`
			`- https://github.com/markevans/dragonfly`
			`- https://github.com/mlr0p/CVE-2021-33564`
			`- https://github.com/nomi-sec/PoC-in-GitHub`
			`- https://github.com/soosmile/POC`
			`- https://github.com/trhacknon/Pocingit`
			`- https://github.com/zecool/cve`