GHSA-r7j3-vvh2-xrpj

Source

https://github.com/advisories/GHSA-r7j3-vvh2-xrpj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/07/GHSA-r7j3-vvh2-xrpj/GHSA-r7j3-vvh2-xrpj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r7j3-vvh2-xrpj

Aliases

CVE-2019-13574

Published

2019-07-18T13:19:22Z

Modified

2024-02-19T05:32:31.104648Z

Severity

7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H CVSS Calculator

Summary

OS Command Injection in MiniMagick

Details

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a | character followed by a command.

Database specific

{
    "nvd_published_at": "2019-07-12T03:15:00Z",
    "cwe_ids": [
        "CWE-78"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2019-07-18T13:18:58Z"
}

References

Affected packages

RubyGems / mini_magick

Package

Name: mini_magick
Purl: pkg:gem/mini_magick

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

4.9.4

Affected versions

1.*

1.0.1

1.1.0

1.2.0

1.2.1

1.2.2

1.2.3

1.2.5

1.3.0

1.3.1

1.3.2

1.3.3

2.*

2.0.0

2.0.1

2.0.2

2.1

2.3

3.*

3.0

3.1

3.2

3.2.1

3.3

3.4

3.5.0

3.6.0

3.7.0

3.8.0

3.8.1

4.*

4.0.0.rc

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.1.0

4.1.1

4.2.0

4.2.1

4.2.3

4.2.4

4.2.5

4.2.7

4.2.9

4.2.10

4.3.1

4.3.2

4.3.3

4.3.4

4.3.5

4.3.6

4.4.0

4.5.0

4.5.1

4.6.0

4.6.1

4.7.0

4.7.1

4.7.2

4.8.0

4.9.0

4.9.1

4.9.2

4.9.3