CVE-2021-33473

Опубликовано: 02 июн. 2022

Источник: nvd

CVSS3: 9.1

CVSS2: 4.9

EPSS Низкий

Описание

An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.

Ссылки

https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
Patch
Third Party Advisory
https://github.com/markevans/dragonfly/issues/513
Issue Tracking
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220715-0004/
Third Party Advisory
https://github.com/markevans/dragonfly/commit/25399297bb457f7fcf8e3f91e85945b255b111b5
Patch
Third Party Advisory
https://github.com/markevans/dragonfly/issues/513
Issue Tracking
Third Party Advisory
https://security.netapp.com/advisory/ntap-20220715-0004/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:dragonfly_project:dragonfly:1.3.0:*:*:*:*:ruby:*:*

EPSS

Процентиль: 57%

0.00344

Низкий

9.1 Critical

CVSS3

4.9 Medium

CVSS2

Дефекты

CWE-88

Связанные уязвимости

GHSA-fj34-jhjx-xmvv