Executive Summary

Informations
NameCVE-2019-13574First vendor Publication2019-07-11
VendorCveLast vendor Modification2019-10-07

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:P/A:P)
Cvss Base Score6.8Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityMedium
Cvss Expoit Score8.6AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

Original Source

Url : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13574

CWE : Common Weakness Enumeration

%idName
100 %CWE-20Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application46
Os2

Sources (Detail)

SourceUrl
BUGTRAQ https://seclists.org/bugtraq/2019/Jul/20
DEBIAN https://www.debian.org/security/2019/dsa-4481
MISC https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-versi...
https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8...
https://github.com/minimagick/minimagick/compare/d484786...293f9bb
https://github.com/minimagick/minimagick/releases/tag/v4.9.4
MLIST https://lists.debian.org/debian-lts-announce/2019/10/msg00007.html

Alert History

If you want to see full details history, please login or register.
0
1
2
3
4
5
6
DateInformations
2019-10-08 17:20:19
  • Multiple Updates
2019-07-22 21:19:35
  • Multiple Updates
2019-07-15 17:19:29
  • Multiple Updates
2019-07-14 05:19:16
  • Multiple Updates
2019-07-12 21:19:26
  • Multiple Updates
2019-07-12 17:18:48
  • Multiple Updates
2019-07-12 09:18:23
  • First insertion