Project

General

Profile

Is Redmine affected by the ImageTragick security flaw?

Added by Simen Endsjø over 8 years ago

https://imagetragick.com/

There are multiple vulnerabilities in ImageMagick, a package commonly used by
web services to process images. One of the vulnerabilities can lead to remote
code execution
(RCE) if you process user submitted images. The exploit for this
vulnerability is being used in the wild
.

A number of image processing plugins depend on the ImageMagick library,
including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and
nodejs’s imagemagick.


Replies (2)

RE: Is Redmine affected by the ImageTragick security flaw? - Added by Angelo Bertolli over 8 years ago

Yes, if you have an issue tracker with attachments. Someone uploads an image and then rmagick is used to modify the image (e.g. create a thumbnail) could allow them to execute code on your system.

    (1-2/2)