UBUNTU-CVE-2022-24720

See a problem?
Please try reporting it to the source first.
Source
https://ubuntu.com/security/CVE-2022-24720
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2022/UBUNTU-CVE-2022-24720.json
JSON Data
https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2022-24720
Related
Published
2022-03-01T23:15:00Z
Modified
2022-03-01T23:15:00Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

imageprocessing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the #apply method from imageprocessing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.

References

Affected packages

Ubuntu:20.04:LTS / ruby-image-processing

Package

Name
ruby-image-processing
Purl
pkg:deb/ubuntu/ruby-image-processing?arch=src?distro=focal

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.3-1ubuntu0.20.04.1

Affected versions

1.*

1.10.3-1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.10.3-1ubuntu0.20.04.1",
            "binary_name": "ruby-image-processing"
        }
    ]
}

Ubuntu:22.04:LTS / ruby-image-processing

Package

Name
ruby-image-processing
Purl
pkg:deb/ubuntu/ruby-image-processing?arch=src?distro=jammy

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.3-1ubuntu0.22.04.1

Affected versions

1.*

1.10.3-1

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.10.3-1ubuntu0.22.04.1",
            "binary_name": "ruby-image-processing"
        }
    ]
}

Ubuntu:24.04:LTS / ruby-image-processing

Package

Name
ruby-image-processing
Purl
pkg:deb/ubuntu/ruby-image-processing?arch=src?distro=noble

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.10.3-3

Ecosystem specific 

{
    "availability": "No subscription required",
    "ubuntu_priority": "medium",
    "binaries": [
        {
            "binary_version": "1.10.3-3",
            "binary_name": "ruby-image-processing"
        }
    ]
}