10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
71.6%
image_processing is an image processing wrapper for libvips and
ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the #apply
method from image_processing to apply a series of operations that are
coming from unsanitized user input allows the attacker to execute shell
commands. This method is called internally by Active Storage variants, so
Active Storage is vulnerable as well. The vulnerability has been fixed in
version 1.12.2 of image_processing. As a workaround, users who process
based on user input should always sanitize the user input by allowing only
a constrained set of operations.
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 20.04 | noarch | ruby-image-processing | < 1.10.3-1ubuntu0.20.04.1 | UNKNOWN |
ubuntu | 22.04 | noarch | ruby-image-processing | < 1.10.3-1ubuntu0.22.04.1 | UNKNOWN |
github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada (v1.12.2)
github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
launchpad.net/bugs/cve/CVE-2022-24720
nvd.nist.gov/vuln/detail/CVE-2022-24720
security-tracker.debian.org/tracker/CVE-2022-24720
ubuntu.com/security/notices/USN-6675-1
www.cve.org/CVERecord?id=CVE-2022-24720
10 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.003 Low
EPSS
Percentile
71.6%