Arbitrary Command Injection Affecting quick_magick package, versions >= 0

Snyk CVSS

Attack Complexity High

Confidentiality High

Integrity High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-QUICKMAGICK-20012
published 11 Jan 2011
disclosed 11 Jan 2011
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 11 Jan 2011

CWE-77 Open this link in a new tab

Overview

quick_magick allows you to access ImageMagick command line functions using Ruby interface. Affected versions of this gem contain a flaw in the QuickMagick::Image.read function. The issue is triggered when handling a specially crafted string. This may allow a remote attacker to inject arbitrary commands.

References

http://rubysec.com/advisories/OSVDB-106954