Janko

**Name of the Vulnerable Software and Affected Versions** image processing versions prior to 1.12.2 ruby-image-processing versions prior to 1.10.3-1+deb11u1 **Description** The image processing library, a wrapper for libvips and ImageMagick/GraphicsMagick, contains a flaw where unsanitized user input passed to the `#apply` method can lead to remote code execution. This occurs because the library does not adequately neutralize special elements used in operating system commands. The issue affects Active Storage variants as well, since they internally call this method. Exploitation of this flaw could allow a remote attacker to execute arbitrary shell commands. **API Endpoints:** No specific API endpoints are mentioned. **Vulnerable Parameters or Variables:** `operations` **Function Names:** `ImageProcessing::Vips.apply()` **Recommendations** Update image processing to version 1.12.2 or later. Update ruby-image-processing to version 1.10.3-1+deb11u1 or later. If you are processing images based on user input, always sanitize the input by allowing only a constrained set of operations.

**Name of the Vulnerable Software and Affected Versions** Shrine versions prior to 3.3.0 **Description** The issue allows an attacker to use a timing attack to guess the signature of the derivation URL when using the `derivation endpoint` plugin. This is possible due to the comparison of sent and calculated signatures not being done in constant time. The problem has been fixed by using `Rack::Utils.secure compare` to compare signatures in constant time. **Recommendations** For Shrine versions prior to 3.3.0, upgrade to Shrine 3.3.0 or greater. As a temporary workaround, users of older Shrine versions can apply a monkey-patch after loading the `derivation endpoint` plugin to secure the comparison of signatures.