CVE-2022-24720: 
Ruby vulnerability analysis and mitigation

CVE-2022-24720 affects image_processing, a wrapper library for libvips and ImageMagick/GraphicsMagick. The vulnerability was discovered in versions prior to 1.12.2, where using the #apply method with unsanitized user input could allow attackers to execute arbitrary shell commands. This vulnerability also affects Active Storage variants since they internally use this method (GitHub Advisory).

The vulnerability stems from the improper input validation in the #apply method, which allowed execution of shell commands through Kernel#system and Kernel#spawn. The vulnerability has a CVSS v3.1 Base Score of 9.8 (CRITICAL) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation with no required privileges or user interaction (NVD).

If exploited, this vulnerability allows attackers to execute arbitrary shell commands on the target system. This is particularly concerning as Active Storage variants, which internally use the affected method, are also vulnerable. The high severity rating indicates potential for complete system compromise (GitHub Advisory).

The vulnerability has been patched in version 1.12.2 of image_processing. As a workaround, users processing based on user input should implement input sanitization by allowing only a constrained set of operations. For example, operations should be filtered to include only legitimate image processing commands like 'resize_to_limit' or 'strip' (GitHub Advisory, Debian Advisory).