CVE-2022-24720

Published: Mar 1, 2022

Modified: Apr 22, 2025

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.

Vendor	Product	Versions
janko	image_processing	affected `< 1.12.2`

Weaknesses (CWE)

CWE-20

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446

https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada

DSA-5310

vendor-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2022-24720

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References