Remote Command Execution Vulnerability in MiniMagick Image Processing Library

Remote Command Execution Vulnerability in MiniMagick Image Processing Library

CVE-2019-13574 · MEDIUM Severity

AV:N/AC:M/AU:N/C:P/I:P/A:P

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

Learn more about our Web Application Penetration Testing UK.