GHSA-26hp-cgjj-m2j3

Source

https://github.com/advisories/GHSA-26hp-cgjj-m2j3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-26hp-cgjj-m2j3/GHSA-26hp-cgjj-m2j3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-26hp-cgjj-m2j3

Published

2024-05-15T21:44:46Z

Modified

2024-11-29T05:41:52.002545Z

Summary

fuel/core ImageMagick driver does not escape all shell arguments.

Details

This vulnerability may cause OS commands to be executed when you pass unvalidated image filenames containing specially crafted strings to the ImageMagick driver.

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-15T21:44:46Z"
}

References

Affected packages

Packagist / fuel/core

Package

Name: fuel/core
Purl: pkg:composer/fuel/core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.8.0.4

Affected versions

1.*

1.8.0

1.8.0.1

1.8.0.2

1.8.0.3