CVE-2017-10784

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
Affected Products (NVD)
VendorProductVersion
ruby-langruby
𝑥
≤ 2.2.7
ruby-langruby
2.3.0
ruby-langruby
2.3.0:preview1
ruby-langruby
2.3.0:preview2
ruby-langruby
2.3.1
ruby-langruby
2.3.2
ruby-langruby
2.3.3
ruby-langruby
2.3.4
ruby-langruby
2.4.0
ruby-langruby
2.4.0:preview1
ruby-langruby
2.4.0:preview2
ruby-langruby
2.4.0:preview3
ruby-langruby
2.4.0:rc1
ruby-langruby
2.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby1.9.1
artful
dne
bionic
dne
trusty
Fixed 1.9.3.484-2ubuntu1.5
released
xenial
dne
zesty
dne
ruby2.0
artful
dne
bionic
dne
trusty
Fixed 2.0.0.484-1ubuntu2.10
released
xenial
dne
zesty
dne
ruby2.3
artful
Fixed 2.3.3-1ubuntu1.2
released
bionic
dne
trusty
dne
xenial
Fixed 2.3.1-2~16.04.5
released
zesty
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_1-2_1
suse enterprise sap 12 SP4
2.1.9-19.3.2
fixed
suse enterprise sap 12 SP5
2.1.9-19.3.2
fixed
suse enterprise server 12 SP2
2.1.9-19.3.2
fixed
suse enterprise server 12 SP3
2.1.9-19.3.2
fixed
suse enterprise server 12 SP4
2.1.9-19.3.2
fixed
suse enterprise server 12 SP5
2.1.9-19.3.2
fixed
yast2-ruby-bindings
suse enterprise server 12 SP2
3.1.53-9.8.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
ruby
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-devel
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-doc
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-irb
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-libs
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-tcltk
RHEL 7
0:2.0.0.648-33.el7_4
fixed
rubygem-bigdecimal
RHEL 7
0:1.2.0-33.el7_4
fixed
rubygem-io-console
RHEL 7
0:0.4.2-33.el7_4
fixed
rubygem-json
RHEL 7
0:1.7.7-33.el7_4
fixed
rubygem-minitest
RHEL 7
0:4.3.2-33.el7_4
fixed
rubygem-psych
RHEL 7
0:2.0.0-33.el7_4
fixed
rubygem-rake
RHEL 7
0:0.9.6-33.el7_4
fixed
rubygem-rdoc
RHEL 7
0:4.0.0-33.el7_4
fixed
rubygems
RHEL 7
0:2.0.14.1-33.el7_4
fixed
rubygems-devel
RHEL 7
0:2.0.14.1-33.el7_4
fixed
Amazon Linux logo
Amazon Linux Releases
Amazon Package
Release
ruby22
Amazon Linux 1
0:2.2.8-1.9.amzn1
fixed
ruby22-debuginfo
Amazon Linux 1
0:2.2.8-1.9.amzn1
fixed
ruby22-devel
Amazon Linux 1
0:2.2.8-1.9.amzn1
fixed
ruby22-doc
Amazon Linux 1
0:2.2.8-1.9.amzn1
fixed
ruby22-irb
Amazon Linux 1
0:2.2.8-1.9.amzn1
fixed
ruby22-libs
Amazon Linux 1
0:2.2.8-1.9.amzn1
fixed
ruby23
Amazon Linux 1
0:2.3.5-1.17.amzn1
fixed
ruby23-debuginfo
Amazon Linux 1
0:2.3.5-1.17.amzn1
fixed
ruby23-devel
Amazon Linux 1
0:2.3.5-1.17.amzn1
fixed
ruby23-doc
Amazon Linux 1
0:2.3.5-1.17.amzn1
fixed
ruby23-irb
Amazon Linux 1
0:2.3.5-1.17.amzn1
fixed
ruby23-libs
Amazon Linux 1
0:2.3.5-1.17.amzn1
fixed
ruby24
Amazon Linux 1
0:2.4.2-1.30.4.amzn1
fixed
ruby24-debuginfo
Amazon Linux 1
0:2.4.2-1.30.4.amzn1
fixed
ruby24-devel
Amazon Linux 1
0:2.4.2-1.30.4.amzn1
fixed
ruby24-doc
Amazon Linux 1
0:2.4.2-1.30.4.amzn1
fixed
ruby24-irb
Amazon Linux 1
0:2.4.2-1.30.4.amzn1
fixed
ruby24-libs
Amazon Linux 1
0:2.4.2-1.30.4.amzn1
fixed
rubygem22-bigdecimal
Amazon Linux 1
0:1.2.6-1.9.amzn1
fixed
rubygem22-io-console
Amazon Linux 1
0:0.4.3-1.9.amzn1
fixed
rubygem22-psych
Amazon Linux 1
0:2.0.8.1-1.9.amzn1
fixed
rubygem23-bigdecimal
Amazon Linux 1
0:1.2.8-1.17.amzn1
fixed
rubygem23-did_you_mean
Amazon Linux 1
0:1.0.0-1.17.amzn1
fixed
rubygem23-io-console
Amazon Linux 1
0:0.4.5-1.17.amzn1
fixed
rubygem23-json
Amazon Linux 1
0:1.8.3.1-1.17.amzn1
fixed
rubygem23-psych
Amazon Linux 1
0:2.1.0.1-1.17.amzn1
fixed
rubygem24-bigdecimal
Amazon Linux 1
0:1.3.0-1.30.4.amzn1
fixed
rubygem24-did_you_mean
Amazon Linux 1
0:1.1.0-1.30.4.amzn1
fixed
rubygem24-io-console
Amazon Linux 1
0:0.4.6-1.30.4.amzn1
fixed
rubygem24-json
Amazon Linux 1
0:2.0.4-1.30.4.amzn1
fixed
rubygem24-psych
Amazon Linux 1
0:2.2.2-1.30.4.amzn1
fixed
rubygem24-xmlrpc
Amazon Linux 1
0:0.2.1-1.30.4.amzn1
fixed
rubygems22
Amazon Linux 1
0:2.4.5.2-1.9.amzn1
fixed
rubygems22-devel
Amazon Linux 1
0:2.4.5.2-1.9.amzn1
fixed
rubygems23
Amazon Linux 1
0:2.5.2.1-1.17.amzn1
fixed
rubygems23-devel
Amazon Linux 1
0:2.5.2.1-1.17.amzn1
fixed
rubygems24
Amazon Linux 1
0:2.6.13-1.30.4.amzn1
fixed
rubygems24-devel
Amazon Linux 1
0:2.6.13-1.30.4.amzn1
fixed
References