MiniMagick before 4.9.4, a fetched remote image filename could cause remote command execution
aidanw opened this issue · comments
Aidan Weatherill commented
I am using this with fastlane and it has been great. However Githubs new auto security bot is telling me that the mini_magick version specified (4.5) has a vulnerability and needs updated.
This is the issue found
https://nvd.nist.gov/vuln/detail/CVE-2019-13574
Leo Picado commented
For what is worth, this probably not very Gucci but I manually updated the dependency for my (iOS only) project and the gem is still working. I updated to mini_magick (>= 4.9.4, < 5.0.0)
Daniel Griesser commented
Should be fixed in 0.11.0
Leo Picado commented
Thank you