CVE-2019-13574

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

References

Affected packages

Git / github.com/minimagick/minimagick

Affected ranges

Type: GIT
Repo: https://github.com/minimagick/minimagick
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

293f9bb76b72f99150a07be7dae9b0bebc5132d0

Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

4cd5081e58810d3394d27a67219e8e4e0445d851

Affected versions

3.*

3.7.0

v1.*

v1.2.5

v3.*

v3.4

v3.5.0

v3.6.0

v3.7.0

v3.8.0

v3.8.1

v4.*

v4.0.0

v4.0.0.rc

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.1.0

v4.1.1

v4.2.0

v4.2.1

v4.2.10

v4.2.2

v4.2.3

v4.2.4

v4.2.5

v4.2.7

v4.2.8

v4.2.9

v4.3.0

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.4.0

v4.5.0

v4.5.1

v4.6.0

v4.6.1

v4.7.0

v4.7.1

v4.7.2

v4.8.0

v4.9.0

v4.9.1

v4.9.2

v4.9.3

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-13574.json"