CVE-2019-13574 (mini_magick): Remote command execution via filename

July 12th, 2019

ADVISORIES

CVE-2019-13574 (NVD)
GHSA-r7j3-vvh2-xrpj
Vendor Advisory

GEM

mini_magick

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 4.9.4

DESCRIPTION

A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input. e.g. MiniMagick::Image.open("| touch.txt")

https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851

RubySec

CVE-2019-13574 (mini_magick): Remote command execution via filename

ADVISORIES

GEM

SEVERITY

PATCHED VERSIONS

DESCRIPTION

RELATED

Recent Advisories