Vulnerability CVE-2019-13574


Published: 2019-07-11   Modified: 2019-07-12

Description:
In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

 References:
https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851
https://github.com/minimagick/minimagick/compare/d484786...293f9bb
https://github.com/minimagick/minimagick/releases/tag/v4.9.4

Copyright 2019, cxsecurity.com

 

Back to Top