Miggo Logo
Miggo Vulnerability Database
CVE-2019-13574

CVE-2019-13574:
OS Command Injection in MiniMagick

7.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-13574
GHSA ID
GHSA-r7j3-vvh2-xrpj
EPSS Score
0.96378%
CWE
CWE-78
Published
7/18/2019
Updated
8/29/2023
KEV Status
No
Technology
TechnologyRuby

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
mini_magickrubygems< 4.9.44.9.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the pre-patch implementation of MiniMagick::Image.open in lib/mini_magick/image.rb, which used Kernel#open to handle input. Kernel#open has dangerous behavior where strings starting with | execute shell commands. The patch replaced Kernel#open with URI.open for HTTP/FTP and File.open for local files, which neutralizes this vector. The added test case "| touch file.txt" in the spec file demonstrates the exploit attempt, which would have succeeded with the vulnerable Kernel#open implementation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In `li*/mini_m**i*k/im***.r*` in MiniM**i*k ***or* *.*.*, * **t**** r*mot* im*** *il*n*m* *oul* **us* r*mot* *omm*n* *x**ution ****us* `Im***.op*n` input is *ir**tly p*ss** to `K*rn*l#op*n`, w*i** ****pts * `|` ***r**t*r *ollow** *y * *omm*n*.

Reasoning

T** vuln*r**ility st*ms *rom t** pr*-p*t** impl*m*nt*tion o* `MiniM**i*k::Im***.op*n` in `li*/mini_m**i*k/im***.r*`, w*i** us** `K*rn*l#op*n` to **n*l* input. `K*rn*l#op*n` **s **n**rous ****vior w**r* strin*s st*rtin* wit* `|` *x**ut* s**ll *omm*n*s