CVE-2022-24720

EUVD-2022-1412
image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 74%
Affected Products (NVD)
VendorProductVersion
image_processing_projectimage_processing
𝑥
< 1.12.2
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-image-processing
bookworm
1.10.3-3
fixed
bullseye
1.10.3-1+deb11u1
fixed
bullseye (security)
1.10.3-1+deb11u1
fixed
sid
1.13.0-1
fixed
trixie
1.13.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-image-processing
focal
Fixed 1.10.3-1ubuntu0.20.04.1
released
impish
ignored
jammy
Fixed 1.10.3-1ubuntu0.22.04.1
released
kinetic
dne
lunar
ignored
mantic
not-affected
noble
not-affected
trusty
ignored
xenial
ignored
Common Weakness Enumeration
References
https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
https://www.debian.org/security/2022/dsa-5310
https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
https://www.debian.org/security/2022/dsa-5310