Vulnerability Description
image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations that are coming from unsanitized user input allows the attacker to execute shell commands. This method is called internally by Active Storage variants, so Active Storage is vulnerable as well. The vulnerability has been fixed in version 1.12.2 of image_processing. As a workaround, users who process based on user input should always sanitize the user input by allowing only a constrained set of operations.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Image Processing Project | Image Processing | < 1.12.2 |
| Debian | Debian Linux | 11.0 |
Related Weaknesses (CWE)
References
- https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983cPatch
- https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-944ExploitVendor Advisory
- https://www.debian.org/security/2022/dsa-5310Third Party Advisory
- https://github.com/janko/image_processing/commit/038e4574e8f4f4b636a62394e09983cPatch
- https://github.com/janko/image_processing/security/advisories/GHSA-cxf7-qrc5-944ExploitVendor Advisory
- https://www.debian.org/security/2022/dsa-5310Third Party Advisory
FAQ
What is CVE-2022-24720?
CVE-2022-24720 is a vulnerability with a CVSS score of 9.8 (CRITICAL). image_processing is an image processing wrapper for libvips and ImageMagick/GraphicsMagick. Prior to version 1.12.2, using the `#apply` method from image_processing to apply a series of operations tha...
How severe is CVE-2022-24720?
CVE-2022-24720 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-24720?
Check the references section above for vendor advisories and patch information. Affected products include: Image Processing Project Image Processing, Debian Debian Linux.