CVE-2019-13574

HIGH

MiniMagick < 4.9.4 - Remote Code Execution via Image.open Kernel#open Command Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13574. PoCs published by masahiro331.

AI-analyzed exploit summary This PoC exploits CVE-2019-13574, a command injection vulnerability in the MiniMagick gem, by passing a malicious input to the `Image.open` method. The exploit demonstrates arbitrary command execution via shell metacharacters.

Description

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

Exploits (1)

nomisec WORKING POC 1 stars

by masahiro331 · poc

https://github.com/masahiro331/CVE-2019-13574

View Code ZIP pw:eip

This PoC exploits CVE-2019-13574, a command injection vulnerability in the MiniMagick gem, by passing a malicious input to the `Image.open` method. The exploit demonstrates arbitrary command execution via shell metacharacters.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Trivial

Reliability

Reliable

Target: MiniMagick gem (versions before 4.9.4)

No auth needed

Prerequisites: Ruby environment with vulnerable MiniMagick gem installed

MITRE ATT&CK