CVE-2017-10784

EUVD-2022-2118
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 80%
Affected Products (NVD)
VendorProductVersion
ruby-langruby
𝑥
≤ 2.2.7
ruby-langruby
2.3.0
ruby-langruby
2.3.0:preview1
ruby-langruby
2.3.0:preview2
ruby-langruby
2.3.1
ruby-langruby
2.3.2
ruby-langruby
2.3.3
ruby-langruby
2.3.4
ruby-langruby
2.4.0
ruby-langruby
2.4.0:preview1
ruby-langruby
2.4.0:preview2
ruby-langruby
2.4.0:preview3
ruby-langruby
2.4.0:rc1
ruby-langruby
2.4.1
𝑥
= Vulnerable software versions
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
ruby1.9.1
artful
dne
bionic
dne
trusty
Fixed 1.9.3.484-2ubuntu1.5
released
xenial
dne
zesty
dne
ruby2.0
artful
dne
bionic
dne
trusty
Fixed 2.0.0.484-1ubuntu2.10
released
xenial
dne
zesty
dne
ruby2.3
artful
Fixed 2.3.3-1ubuntu1.2
released
bionic
dne
trusty
dne
xenial
Fixed 2.3.1-2~16.04.5
released
zesty
ignored
Common Weakness Enumeration
References
http://www.securityfocus.com/bid/100853
http://www.securitytracker.com/id/1039363
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
http://www.securityfocus.com/bid/100853
http://www.securitytracker.com/id/1039363
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/