In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2019-07-12T02:31:25
Updated: 2024-08-04T23:57:39.417Z
Reserved: 2019-07-11T00:00:00
Link: CVE-2019-13574
Vulnrichment
No data.
NVD
Status : Modified
Published: 2019-07-12T03:15:10.467
Modified: 2020-08-24T17:37:01.140
Link: CVE-2019-13574
Redhat
No data.