High severity vulnerability that affects mini_magick

2019-07-18T13:19:22
ID GHSA-R7J3-VVH2-XRPJ
Type github
Reporter GitHub Advisory Database
Modified 2019-07-18T13:19:22

Description

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.