CVE-2019-13574

Published: Jul 12, 2019

Modified: Aug 4, 2024

PUBLISHED

Description

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://github.com/minimagick/minimagick/releases/tag/v4.9.4

x_refsource_MISC

https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851

x_refsource_MISC

https://github.com/minimagick/minimagick/compare/d484786...293f9bb

x_refsource_MISC

https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

x_refsource_MISC

DSA-4481

vendor-advisory

x_refsource_DEBIAN

20190715 [SECURITY] [DSA 4481-1] ruby-mini-magick security update

mailing-list

x_refsource_BUGTRAQ

[debian-lts-announce] 20191007 [SECURITY] [DLA 1948-1] ruby-mini-magick security update

mailing-list

x_refsource_MLIST

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2019-13574

Description

Affected Products

References