In lib/mini_magick/image.rb in MiniMagick prior to 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
minimagick project minimagick |
||
debian debian linux 10.0 |
||
debian debian linux 9.0 |