High severityNVD Advisory· Published Jun 9, 2014· Updated May 6, 2026

CVE-2013-1756

Description

The Dragonfly gem 0.7 before 0.8.6 and 0.9.x before 0.9.13 for Ruby, when used with Ruby on Rails, allows remote attackers to execute arbitrary code via a crafted request.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
dragonflyRubyGems	>= 0.7, < 0.8.6	0.8.6
dragonflyRubyGems	>= 0.9, < 0.9.13	0.9.13

Affected products

Mark Evans/Dragonfly Gem26 versions
cpe:2.3:a:mark_evans:dragonfly_gem:0.7.0:*:*:*:*:*:*:*+ 25 more
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.6:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.7.7:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.8.4:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.9:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.10:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.11:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.12:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.8.5:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.0:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.1:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.2:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.3:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.4:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.5:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.6:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.7:*:*:*:*:*:*:*
- cpe:2.3:a:mark_evans:dragonfly_gem:0.9.8:*:*:*:*:*:*:*

Patches

a8775aacf9e5

security update note

https://github.com/markevans/dragonflyMark EvansFeb 19, 2013via ghsa

commit

1 file changed · +2 −0

README.md+2 −0 modified

@@ -7,6 +7,8 @@ Ideal for using with Ruby on Rails (2.3 and 3), Sinatra and all that gubbins.
 
 However, Dragonfly is NOT JUST FOR RAILS, and NOT JUST FOR IMAGES!!
 
+**IMPORTANT: if you're running a version between 0.7.0 and 0.9.12, please update to 0.9.14 for a security update [details here](https://groups.google.com/forum/?fromgroups=#!topic/dragonfly-users/3c3WIU3VQTo)**
+
 For the lazy Rails user...
 --------------------------
 **Gemfile**:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-p463-639r-q9g9ghsaADVISORY
github.com/markevans/dragonfly/commit/a8775aacf9e5c81cf11bec34b7afa7f27ddfe277nvdVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2013-1756ghsaADVISORY
exchange.xforce.ibmcloud.com/vulnerabilities/82476nvdWEB
groups.google.com/forum/ghsaWEB
web.archive.org/web/20200229103538/http://www.securityfocus.com/bid/58225ghsaWEB
secunia.com/advisories/52380nvd
www.securityfocus.com/bid/58225nvd
groups.google.com/forum/nvd

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.002
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000