Published: 12/07/2019 Updated: 12/07/2019

Vulnerability Summary

In lib/mini_magick/image.rb in MiniMagick prior to 4.9.4, a fetched remote image filename could cause remote command execution because input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

Vulnerability Trend

Vendor Advisories

Debian Bug report logs - #931932 CVE-2019-13574 Package: ruby-mini-magick; Maintainer for ruby-mini-magick is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for ruby-mini-magick is src:ruby-mini-magick (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> ...
Harsh Jaiswal discovered a remote shell execution vulnerability in ruby-mini-magick, a Ruby library providing a wrapper around ImageMagick or GraphicsMagick, exploitable when using MiniMagick::Imageopen with specially crafted URLs coming from unsanitized user input For the oldstable distribution (stretch), this problem has been fixed in version 4 ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4481-1 security () debian org wwwdebianorg/security/ Salvatore Bonaccorso July 13, 2019 wwwdebianorg/security/faq ...

Github Repositories

PoC CVE-2019-13574