{ "document":{ "aggregate_severity":{ "namespace":"https://nvd.nist.gov/vuln-metrics/cvss", "text":"High" }, "category":"csaf_vex", "csaf_version":"2.0", "distribution":{ "tlp":{ "label":"WHITE", "url":"https:/www.first.org/tlp/" } }, "lang":"en", "notes":[ { "text":"rubygem-mini_magick security update", "category":"general", "title":"Synopsis" }, { "text":"An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1.", "category":"general", "title":"Summary" }, { "text":"A ruby wrapper for ImageMagick command line. Using MiniMagick the ruby processes memory remains small (it spawns ImageMagick's command line program mogrify which takes up some memory as well, but is much smaller compared to RMagick).\n\nSecurity Fix(es):\n\nIn lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.(CVE-2019-13574)", "category":"general", "title":"Description" }, { "text":"An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1.\n\nopenEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.", "category":"general", "title":"Topic" }, { "text":"High", "category":"general", "title":"Severity" }, { "text":"rubygem-mini_magick", "category":"general", "title":"Affected Component" } ], "publisher":{ "issuing_authority":"openEuler security committee", "name":"openEuler", "namespace":"https://www.openeuler.org", "contact_details":"openeuler-security@openeuler.org", "category":"vendor" }, "references":[ { "summary":"openEuler-SA-2021-1150", "category":"self", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1150" }, { "summary":"CVE-2019-13574", "category":"self", "url":"https://openeuler.org/en/security/cve/detail?cveId=CVE-2019-13574&packageName=rubygem-mini_magick" }, { "summary":"nvd cve", "category":"external", "url":"https://nvd.nist.gov/vuln/detail/CVE-2019-13574" }, { "summary":"openEuler-SA-2021-1150 vex file", "category":"self", "url":"https://repo.openeuler.org/security/data/csaf/advisories/2021/csaf-openeuler-sa-2021-1150.json" } ], "title":"An update for rubygem-mini_magick is now available for openEuler-20.03-LTS-SP1", "tracking":{ "initial_release_date":"2021-05-06T09:19:08+08:00", "revision_history":[ { "date":"2021-05-06T09:19:08+08:00", "summary":"Initial", "number":"1.0.0" }, { "date":"2024-10-31T09:19:08+08:00", "summary":"final", "number":"2.0.0" } ], "generator":{ "date":"2024-10-31T09:19:08+08:00", "engine":{ "name":"openEuler CSAF Tool V1.0" } }, "current_release_date":"2024-10-31T09:19:08+08:00", "id":"openEuler-SA-2021-1150", "version":"2.0.0", "status":"final" } }, "product_tree":{ "branches":[ { "name":"openEuler", "category":"vendor", "branches":[ { "name":"openEuler", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"openEuler-20.03-LTS-SP1", "name":"openEuler-20.03-LTS-SP1" }, "name":"openEuler-20.03-LTS-SP1", "category":"product_version" } ], "category":"product_name" }, { "name":"noarch", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm" }, "name":"rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm", "category":"product_version" }, { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "name":"rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm" }, "name":"rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm", "category":"product_version" } ], "category":"architecture" }, { "name":"src", "branches":[ { "product":{ "product_identification_helper":{ "cpe":"cpe:/a:openEuler:openEuler:20.03-LTS-SP1" }, "product_id":"rubygem-mini_magick-4.8.0-3.oe1.src.rpm(20.03-LTS-SP1)", "name":"rubygem-mini_magick-4.8.0-3.oe1.src.rpm" }, "name":"rubygem-mini_magick-4.8.0-3.oe1.src.rpm", "category":"product_version" } ], "category":"architecture" } ] } ], "relationships":[ { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"rubygem-mini_magick-4.8.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.noarch", "name":"rubygem-mini_magick-4.8.0-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"rubygem-mini_magick-doc-4.8.0-3.oe1.noarch.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:rubygem-mini_magick-doc-4.8.0-3.oe1.noarch", "name":"rubygem-mini_magick-doc-4.8.0-3.oe1.noarch as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" }, { "relates_to_product_reference":"openEuler-20.03-LTS-SP1", "product_reference":"rubygem-mini_magick-4.8.0-3.oe1.src.rpm(20.03-LTS-SP1)", "full_product_name":{ "product_id":"openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.src", "name":"rubygem-mini_magick-4.8.0-3.oe1.src as a component of openEuler-20.03-LTS-SP1" }, "category":"default_component_of" } ] }, "vulnerabilities":[ { "cve":"CVE-2019-13574", "notes":[ { "text":"In lib/mini_magick/image.rb in MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution because Image.open input is directly passed to Kernel#open, which accepts a '|' character followed by a command.", "category":"description", "title":"Vulnerability Description" } ], "product_status":{ "fixed":[ "openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-mini_magick-doc-4.8.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.src" ] }, "remediations":[ { "product_ids":[ "openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-mini_magick-doc-4.8.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.src" ], "details":"rubygem-mini_magick security update", "category":"vendor_fix", "url":"https://openeuler.org/en/security/security-bulletins/detail/?id=openEuler-SA-2021-1150" } ], "scores":[ { "cvss_v3":{ "baseSeverity":"HIGH", "baseScore":7.8, "vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version":"3.1" }, "products":[ "openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-mini_magick-doc-4.8.0-3.oe1.noarch", "openEuler-20.03-LTS-SP1:rubygem-mini_magick-4.8.0-3.oe1.src" ] } ], "threats":[ { "details":"High", "category":"impact" } ], "title":"CVE-2019-13574" } ] }