CVE-2017-17405
15.12.2017, 09:29
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| ruby-lang | ruby | 2.2 ≤ 𝑥 ≤ 2.2.8 |
| ruby-lang | ruby | 2.3 ≤ 𝑥 ≤ 2.3.5 |
| ruby-lang | ruby | 2.4 ≤ 𝑥 ≤ 2.4.2 |
| ruby-lang | ruby | 2.5.0:preview1 |
| debian | debian_linux | 7.0 |
| debian | debian_linux | 8.0 |
| debian | debian_linux | 9.0 |
| redhat | enterprise_linux_desktop | 7.0 |
| redhat | enterprise_linux_server | 7.0 |
| redhat | enterprise_linux_server_aus | 7.4 |
| redhat | enterprise_linux_server_aus | 7.6 |
| redhat | enterprise_linux_server_eus | 7.4 |
| redhat | enterprise_linux_server_eus | 7.5 |
| redhat | enterprise_linux_server_eus | 7.6 |
| redhat | enterprise_linux_server_tus | 7.4 |
| redhat | enterprise_linux_server_tus | 7.6 |
| redhat | enterprise_linux_workstation | 7.0 |
𝑥
= Vulnerable software versions
Ubuntu Releases
openSUSE / SLES Releases
openSUSE Product | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| libruby2_1-2_1 |
| ||||||||||||
| yast2-ruby-bindings |
|
Red Hat Enterprise Linux Releases
Red Hat Product | |||
|---|---|---|---|
| ruby |
| ||
| ruby-devel |
| ||
| ruby-doc |
| ||
| ruby-irb |
| ||
| ruby-libs |
| ||
| ruby-tcltk |
| ||
| rubygem-bigdecimal |
| ||
| rubygem-io-console |
| ||
| rubygem-json |
| ||
| rubygem-minitest |
| ||
| rubygem-psych |
| ||
| rubygem-rake |
| ||
| rubygem-rdoc |
| ||
| rubygems |
| ||
| rubygems-devel |
|
References