CVE-2019-13574

Name of the Vulnerable Software and Affected Versions MiniMagick versions prior to 4.9.4

Description The issue exists due to insufficient input validation in MiniMagick. This allows a remote attacker to execute arbitrary code. In the lib/mini magick/image.rb file, a fetched remote image filename can cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a | character followed by a command.

Recommendations For versions prior to 4.9.4, update to version 4.9.4 or later to resolve the issue. As a temporary workaround, consider restricting the use of the Image.open function with remote image filenames until a patch is applied. Avoid using the Kernel#open function with untrusted input to minimize the risk of exploitation.