CVE-2022-24720Improper Input Validation in Image Processing

CWE-20Improper Input ValidationCWE-78OS Command Injection6 documents5 sources
Severity
9.8CRITICALNVD
EPSS
0.9%
top 24.68%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Janko Image ProcessingImage Processing Project Image ProcessingDebian Ruby-image-processing+1 more
Timeline
PublishedMar 1
Latest updateMar 5

Description

image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process bas

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

CVEListV5janko/image_processing< 1.12.2
debiandebian/ruby-image-processing< ruby-image-processing 1.10.3-2 (bookworm)

Also affects: Debian Linux 11.0

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

3
GHSA
Remote shell execution vulnerability in image_processing2022-03-01
OSV
CVE-2022-24720: image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick2022-03-01
OSV
Remote shell execution vulnerability in image_processing2022-03-01

📋Vendor Advisories

2
Ubuntu
ImageProcessing vulnerability2024-03-05
Debian
CVE-2022-24720: ruby-image-processing - image_processing is an image processing wrapper for libvips and ImageMagick/Grap...2022