CVE-2019-13574 — Vulnetix

CVE-2019-13574 PUBLISHED

In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.

EPSS 29.12% · 96.7th percentile

Risk Scores

EPSS Score

29.12%

96.7th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	ruby-mini-magick	4.2.3-1, 0, 4.3.3-2
Ubuntu:18.04:LTS	ruby-mini-magick	4.8.0-2, 4.8.0-1, 4.7.2-1

Exploit Intelligence

masahiro331/CVE-2019-13574 (github-poc)
masahiro331/CVE-2019-13574 (github-poc)
masahiro331/CVE-2019-13574 (github-poc)
masahiro331/CVE-2019-13574 (github-poc)
masahiro331/CVE-2019-13574 (github-poc)
masahiro331/CVE-2019-13574 (github-poc)
https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ (nist-nvd)
https://github.com/minimagick/minimagick/compare/d484786...293f9bb (circl)
[debian-lts-announce] 20191007 [SECURITY] [DLA 1948-1] ruby-mini-magick security update (circl)
20190715 [SECURITY] [DSA 4481-1] ruby-mini-magick security update (circl)

…and 3 more exploits

Timeline

Jul 12, 2019 CVE Published
Aug 24, 2020 CVE Updated
Apr 14, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Mar 17, 2025 EPSS Score
Mar 18, 2025 EPSS Score
Mar 19, 2025 EPSS Score
Mar 27, 2025 EPSS Score
Mar 28, 2025 EPSS Score
Mar 29, 2025 EPSS Score
Apr 1, 2025 EPSS Score
Apr 2, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2019-13574 third-party-advisory
https://benjamin-bouchet.com/blog/vulnerabilite-dans-la-gem-mini_magick-version-4-9-4/ third-party-advisory
https://github.com/minimagick/minimagick/commit/4cd5081e58810d3394d27a67219e8e4e0445d851 third-party-advisory
https://github.com/minimagick/minimagick/compare/d484786...293f9bb third-party-advisory
https://github.com/minimagick/minimagick/releases/tag/v4.9.4 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2019-13574 third-party-advisory

Open in Interactive Console →