CVE-2022-24720

image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
GitHub_MCNA
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 71%
VendorProductVersion
image_processing_projectimage_processing
𝑥
< 1.12.2
debiandebian_linux
11.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
ruby-image-processing
bullseye (security)
1.10.3-1+deb11u1
fixed
bullseye
1.10.3-1+deb11u1
fixed
bookworm
1.10.3-3
fixed
sid
1.13.0-1
fixed
trixie
1.13.0-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby-image-processing
noble
not-affected
mantic
not-affected
lunar
ignored
kinetic
dne
jammy
Fixed 1.10.3-1ubuntu0.22.04.1
released
impish
ignored
focal
Fixed 1.10.3-1ubuntu0.20.04.1
released
xenial
ignored
trusty
ignored
Common Weakness Enumeration
References
https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
https://www.debian.org/security/2022/dsa-5310
https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
https://www.debian.org/security/2022/dsa-5310