RubySec

Providing security resources for the Ruby community

CVE-2013-2616 (mini_magick): MiniMagick Gem for Ruby URI Handling Arbitrary Command Injection

ADVISORIES

GEM

mini_magick

SEVERITY

CVSS v2.0: 9.3 (High)

PATCHED VERSIONS

  • >= 3.6.0

DESCRIPTION

MiniMagick Gem for Ruby contains a flaw that is triggered during the handling of specially crafted input from an untrusted source passed via a URL that contains a ';' character. This may allow a context-dependent attacker to potentially execute arbitrary commands.