Dragonfly Arbitrary File Read/Write (CVE-2021-33564)
Description
The application uses Refinery CMS with a vulnerable version of the Dragonfly gem (prior to version 1.4.0). This gem contains an argument injection vulnerability (CVE-2021-33564) that allows attackers to manipulate file processing commands, enabling unauthorized reading and writing of arbitrary files on the server. This vulnerability can be exploited remotely without authentication, making it a critical security risk for any application using the affected versions.
Remediation
Immediately upgrade the Dragonfly gem to version 1.4.0 or later. Update your Gemfile with the following change:<br/><br/><pre>gem 'dragonfly', '~> 1.4'</pre><br/>Then run the following commands to update dependencies:<br/><br/><pre>bundle update dragonfly bundle install</pre><br/>After upgrading, restart your application server to ensure the changes take effect. Additionally, review server logs for any suspicious file access patterns that may indicate prior exploitation, and conduct a security audit of file permissions to ensure proper access controls are in place. If immediate patching is not possible, consider implementing web application firewall (WAF) rules to filter malicious requests targeting this vulnerability.