Advisories for Gem/Dragonfly package

An argument injection vulnerability in Dragonfly Ruby Gem v1.3.0 allows attackers to read and write arbitrary files when the verify_url option is disabled. This vulnerability is exploited via a crafted URL.

An argument injection vulnerability in the Dragonfly gem for Ruby allows remote attackers to read and write to arbitrary files via a crafted URL when the verify_url option is disabled. This may lead to code execution. The problem occurs because the generate and process features mishandle use of the ImageMagick convert utility.

The gem contains a flaw in Uploading & Processing that is due to the gem failing to restrict arbitrary commands to imagemagicks convert. This may allow a remote attacker to gain read/write access to the filesystem and execute arbitrary commands.

Unfortunately there is a security vulnerability in Dragonfly when used with Rails which would potentially allow an attacker to run arbitrary code on a host machine using carefully crafted requests.

lib/dragonfly/imagemagickutils.rb in the fog-dragonfly gem for Ruby allows remote attackers to execute arbitrary commands via unspecified vectors.

The gem contains a flaw that is due to the program failing to properly escape a shell that contains injected characters. This may allow a context-dependent attacker to potentially execute arbitrary commands.