CVE-2019-13574 (mini_magick): Remote command execution via filename

Remote command execution via filename

Published: July 12, 2019

SECURITY IDENTIFIERS

CVE: CVE-2019-13574 (NVD)
GHSA: GHSA-r7j3-vvh2-xrpj
Vendor Advisory: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

GEM

mini_magick

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

>= 4.9.4

DESCRIPTION

A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input. e.g. MiniMagick::Image.open("| touch.txt")

https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851

RubySec