CVE-2022-24720

Name of the Vulnerable Software and Affected Versions image processing versions prior to 1.12.2 ruby-image-processing versions prior to 1.10.3-1+deb11u1

Description The image processing library, a wrapper for libvips and ImageMagick/GraphicsMagick, contains a flaw where unsanitized user input passed to the #apply method can lead to remote code execution. This occurs because the library does not adequately neutralize special elements used in operating system commands. The issue affects Active Storage variants as well, since they internally call this method. Exploitation of this flaw could allow a remote attacker to execute arbitrary shell commands.

API Endpoints: No specific API endpoints are mentioned. Vulnerable Parameters or Variables: operations Function Names: ImageProcessing::Vips.apply()

Recommendations Update image processing to version 1.12.2 or later. Update ruby-image-processing to version 1.10.3-1+deb11u1 or later. If you are processing images based on user input, always sanitize the input by allowing only a constrained set of operations.