RubySec

Providing security resources for the Ruby community

CVE-2019-13574 (mini_magick): Remote command execution via filename

ADVISORIES

GEM

mini_magick

SEVERITY

CVSS v3: 7.5

PATCHED VERSIONS

  • >= 4.9.4

DESCRIPTION

A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input. e.g. MiniMagick::Image.open("| touch.txt")