Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jeGY3LXFyYzUtOTQ0Ns0viw

Remote shell execution vulnerability in image_processing

Impact

When using the #apply method from image_processing to apply a series of operations that are coming from unsanitized user input, this allows the attacker to execute shell commands:

ImageProcessing::Vips.apply({ system: "echo EXECUTED" })
#>> EXECUTED

This method is called internally by Active Storage variants, so Active Storage is vulnerable as well.

Patches

The vulnerability has been fixed in version 1.12.2 of image_processing.

Workarounds

If you're processing based on user input, it's highly recommended that you always sanitize the user input, by allowing only a constrained set of operations. For example:

operations = params[:operations]
  .map { |operation| [operation[:name], *operation[:value]] }
  .select { |name, *| name.to_s.include? %w[resize_to_limit strip ...] } # sanitization

ImageProcessing::Vips.apply(operations)

Permalink: https://github.com/advisories/GHSA-cxf7-qrc5-9446
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jeGY3LXFyYzUtOTQ0Ns0viw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: 12 months ago

CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-cxf7-qrc5-9446, CVE-2022-24720
References:

• https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-9446
• https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983c71980dada
• https://nvd.nist.gov/vuln/detail/CVE-2022-24720
• https://www.debian.org/security/2022/dsa-5310
• https://github.com/rubysec/ruby-advisory-db/blob/master/gems/image_processing/CVE-2022-24720.yml
• https://github.com/advisories/GHSA-cxf7-qrc5-9446

Repository: https://github.com/janko/image_processing
Blast Radius: 44.1

Affected Packages