CVE-2017-10784

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 84%
Affected Products (NVD)
VendorProductVersion
ruby-langruby
𝑥
≤ 2.2.7
ruby-langruby
2.3.0
ruby-langruby
2.3.0:preview1
ruby-langruby
2.3.0:preview2
ruby-langruby
2.3.1
ruby-langruby
2.3.2
ruby-langruby
2.3.3
ruby-langruby
2.3.4
ruby-langruby
2.4.0
ruby-langruby
2.4.0:preview1
ruby-langruby
2.4.0:preview2
ruby-langruby
2.4.0:preview3
ruby-langruby
2.4.0:rc1
ruby-langruby
2.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby1.9.1
artful
dne
bionic
dne
trusty
Fixed 1.9.3.484-2ubuntu1.5
released
xenial
dne
zesty
dne
ruby2.0
artful
dne
bionic
dne
trusty
Fixed 2.0.0.484-1ubuntu2.10
released
xenial
dne
zesty
dne
ruby2.3
artful
Fixed 2.3.3-1ubuntu1.2
released
bionic
dne
trusty
dne
xenial
Fixed 2.3.1-2~16.04.5
released
zesty
ignored
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
libruby2_1-2_1
suse enterprise sap 12 SP4
2.1.9-19.3.2
fixed
suse enterprise sap 12 SP5
2.1.9-19.3.2
fixed
suse enterprise server 12 SP2
2.1.9-19.3.2
fixed
suse enterprise server 12 SP3
2.1.9-19.3.2
fixed
suse enterprise server 12 SP4
2.1.9-19.3.2
fixed
suse enterprise server 12 SP5
2.1.9-19.3.2
fixed
yast2-ruby-bindings
suse enterprise server 12 SP2
3.1.53-9.8.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
ruby
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-devel
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-doc
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-irb
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-libs
RHEL 7
0:2.0.0.648-33.el7_4
fixed
ruby-tcltk
RHEL 7
0:2.0.0.648-33.el7_4
fixed
rubygem-bigdecimal
RHEL 7
0:1.2.0-33.el7_4
fixed
rubygem-io-console
RHEL 7
0:0.4.2-33.el7_4
fixed
rubygem-json
RHEL 7
0:1.7.7-33.el7_4
fixed
rubygem-minitest
RHEL 7
0:4.3.2-33.el7_4
fixed
rubygem-psych
RHEL 7
0:2.0.0-33.el7_4
fixed
rubygem-rake
RHEL 7
0:0.9.6-33.el7_4
fixed
rubygem-rdoc
RHEL 7
0:4.0.0-33.el7_4
fixed
rubygems
RHEL 7
0:2.0.14.1-33.el7_4
fixed
rubygems-devel
RHEL 7
0:2.0.14.1-33.el7_4
fixed
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/100853
http://www.securitytracker.com/id/1039363
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
http://www.securityfocus.com/bid/100853
http://www.securitytracker.com/id/1039363
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/