CVE-2019-13574

HIGH

MiniMagick <4.9.4 - RCE

Title source: llm

Description

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

Exploits (1)

nomisec WORKING POC 1 stars

by masahiro331 · poc

https://github.com/masahiro331/CVE-2019-13574

View Code ZIP pw:eip

References (7)

[Exploit, Third Party Advisory] https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/

[Patch, Third Party Advisory] https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851

[Patch, Third Party Advisory] https://github.com/minimagick/minimagick/compare/d484786...293f9bb

[Release Notes, Third Party Advisory] https://github.com/minimagick/minimagick/releases/tag/v4.9.4

[Mailing List] https://lists.debian.org/debian-lts-announce/2019/10/msg00007.html

[Mailing List, Third Party Advisory] https://seclists.org/bugtraq/2019/Jul/20

[Third Party Advisory] https://www.debian.org/security/2019/dsa-4481

Scores

CVSS v3 7.8

EPSS 0.2949

EPSS Percentile 96.6%

Attack Vector LOCAL

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-78

Status published

Products (4)

debian/debian_linux 9.0

debian/debian_linux 10.0

minimagick_project/minimagick < 4.9.4

rubygems/mini_magick 0 - 4.9.4RubyGems

Published Jul 12, 2019

Tracked Since Feb 18, 2026