Rubysec

Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at rubysec.com

Advisory Archive

Back

---
gem: mini_magick
date: 2019-07-12
url: https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/
cve: 2019-13574
title: Remote command execution via filename
description: |
  A remote shell execution vulnerability when using MiniMagick::Image.open with URL coming from unsanitized user input.
  e.g. `MiniMagick::Image.open("| touch.txt")`
cvss_v3: '7.5'
patched_versions:
- ">= 4.9.4"
related:
  url: '["https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851"]'