{"document":{"aggregate_severity":{"namespace":"https://www.suse.com/support/security/rating/","text":"important"},"category":"csaf_vex","csaf_version":"2.0","distribution":{"text":"Copyright 2024 SUSE LLC. All rights reserved.","tlp":{"label":"WHITE","url":"https://www.first.org/tlp/"}},"lang":"en","notes":[{"category":"summary","text":"SUSE CVE-2025-24293","title":"Title"},{"category":"description","text":"# Active Storage allowed transformation methods potentially unsafe\r\n\r\nActive Storage attempts to prevent the use of potentially unsafe image\r\ntransformation methods and parameters by default.\r\n\r\nThe default allowed list contains three methods allow for the circumvention\r\nof the safe defaults which enables potential command injection\r\nvulnerabilities in cases where arbitrary user supplied input is accepted as\r\nvalid transformation methods or parameters.\r\n\r\n\r\nImpact\r\n------\r\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\r\n\r\nVulnerable code will look something similar to this:\r\n```\r\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\r\n```\r\n\r\nWhere the transformation method or its arguments are untrusted arbitrary input.\r\n\r\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\r\n\r\n\r\n\r\nWorkarounds\r\n-----------\r\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\r\n\r\nStrict validation of user supplied methods and parameters should be performed\r\nas well as having a strong [ImageMagick security\r\npolicy](https://imagemagick.org/script/security-policy.php) deployed.\r\n\r\nCredits\r\n-------\r\n\r\nThank you [lio346](https://hackerone.com/lio346) for reporting this!","title":"Description of the CVE"},{"category":"legal_disclaimer","text":"CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).","title":"Terms of use"}],"publisher":{"category":"vendor","contact_details":"https://www.suse.com/support/security/contact/","name":"SUSE Product Security Team","namespace":"https://www.suse.com/"},"references":[{"category":"external","summary":"CVE-2025-24293","url":"https://www.suse.com/security/cve/CVE-2025-24293"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1257617 for CVE-2025-24293","url":"https://bugzilla.suse.com/1257617"}],"title":"SUSE CVE CVE-2025-24293","tracking":{"current_release_date":"2026-03-13T14:21:33Z","generator":{"date":"2026-02-04T00:41:02Z","engine":{"name":"cve-database.git:bin/generate-csaf-vex.pl","version":"1"}},"id":"CVE-2025-24293","initial_release_date":"2026-02-04T00:41:02Z","revision_history":[{"date":"2026-02-04T00:41:02Z","number":"2","summary":"vulnerabilities added,references added,severity changed from  to important"},{"date":"2026-03-11T17:21:58Z","number":"3","summary":"unknown changes"},{"date":"2026-03-13T14:21:33Z","number":"4","summary":"unknown changes"}],"status":"interim","version":"4"}},"product_tree":{"branches":[{"branches":[{"branches":[{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 12 SP5","product":{"name":"SUSE Linux Enterprise High Availability Extension 12 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP4","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp4"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP5","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise High Availability Extension 15 SP7","product":{"name":"SUSE Linux Enterprise High Availability Extension 15 SP7","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP7","product_identification_helper":{"cpe":"cpe:/o:suse:sle-ha:15:sp7"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product":{"name":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_identification_helper":{"cpe":"cpe:/o:suse:sles_sap:12:sp5"}}},{"category":"product_name","name":"SUSE Linux Enterprise Server for SAP applications 16.0","product":{"name":"SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0","product_identification_helper":{"cpe":"cpe:/o:suse:sles:16:16.0:server-sap"}}},{"category":"product_name","name":"openSUSE Leap 15.6","product":{"name":"openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6","product_identification_helper":{"cpe":"cpe:/o:opensuse:leap:15.6"}}},{"category":"product_version","name":"hawk2","product":{"name":"hawk2","product_id":"hawk2","product_identification_helper":{"cpe":"cpe:2.3:a:clusterlabs:hawk:*:*:*:*:*:*:*:*","purl":"pkg:rpm/suse/hawk2@?upstream=hawk2.src.rpm"}}}],"category":"product_family","name":"SUSE Linux Enterprise"}],"category":"vendor","name":"SUSE"}],"relationships":[{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of SUSE Linux Enterprise High Availability Extension 12 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 12 SP5:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 12 SP5"},{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of SUSE Linux Enterprise High Availability Extension 15 SP4","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP4:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP4"},{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of SUSE Linux Enterprise High Availability Extension 15 SP5","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP5:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP5"},{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of SUSE Linux Enterprise High Availability Extension 15 SP7","product_id":"SUSE Linux Enterprise High Availability Extension 15 SP7:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"SUSE Linux Enterprise High Availability Extension 15 SP7"},{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of SUSE Linux Enterprise Server for SAP Applications 12 SP5","product_id":"SUSE Linux Enterprise Server for SAP Applications 12 SP5:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP Applications 12 SP5"},{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of SUSE Linux Enterprise Server for SAP applications 16.0","product_id":"SUSE Linux Enterprise Server for SAP applications 16.0:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"SUSE Linux Enterprise Server for SAP applications 16.0"},{"category":"default_component_of","full_product_name":{"name":"hawk2 as component of openSUSE Leap 15.6","product_id":"openSUSE Leap 15.6:hawk2"},"product_reference":"hawk2","relates_to_product_reference":"openSUSE Leap 15.6"}]},"vulnerabilities":[{"cve":"CVE-2025-24293","ids":[{"system_name":"SUSE CVE Page","text":"https://www.suse.com/security/cve/CVE-2025-24293"}],"notes":[{"category":"general","text":"# Active Storage allowed transformation methods potentially unsafe\r\n\r\nActive Storage attempts to prevent the use of potentially unsafe image\r\ntransformation methods and parameters by default.\r\n\r\nThe default allowed list contains three methods allow for the circumvention\r\nof the safe defaults which enables potential command injection\r\nvulnerabilities in cases where arbitrary user supplied input is accepted as\r\nvalid transformation methods or parameters.\r\n\r\n\r\nImpact\r\n------\r\nThis vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor.\r\n\r\nVulnerable code will look something similar to this:\r\n```\r\n<%= image_tag blob.variant(params[:t] => params[:v]) %>\r\n```\r\n\r\nWhere the transformation method or its arguments are untrusted arbitrary input.\r\n\r\nAll users running an affected release should either upgrade or use one of the workarounds immediately.\r\n\r\n\r\n\r\nWorkarounds\r\n-----------\r\nConsuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous.\r\n\r\nStrict validation of user supplied methods and parameters should be performed\r\nas well as having a strong [ImageMagick security\r\npolicy](https://imagemagick.org/script/security-policy.php) deployed.\r\n\r\nCredits\r\n-------\r\n\r\nThank you [lio346](https://hackerone.com/lio346) for reporting this!","title":"CVE description"}],"product_status":{"known_not_affected":["SUSE Linux Enterprise High Availability Extension 12 SP5:hawk2","SUSE Linux Enterprise High Availability Extension 15 SP4:hawk2","SUSE Linux Enterprise High Availability Extension 15 SP5:hawk2","SUSE Linux Enterprise High Availability Extension 15 SP7:hawk2","SUSE Linux Enterprise Server for SAP Applications 12 SP5:hawk2","SUSE Linux Enterprise Server for SAP applications 16.0:hawk2","openSUSE Leap 15.6:hawk2"]},"references":[{"category":"external","summary":"CVE-2025-24293","url":"https://www.suse.com/security/cve/CVE-2025-24293"},{"category":"external","summary":"SUSE Security Ratings","url":"https://www.suse.com/support/security/rating/"},{"category":"external","summary":"SUSE Bug 1257617 for CVE-2025-24293","url":"https://bugzilla.suse.com/1257617"}],"threats":[{"category":"impact","date":"2026-01-30T23:02:56Z","details":"important"}],"title":"CVE-2025-24293"}]}