CVE-2017-17405 :: Enginsight Vulnerability Database

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.8 HIGH	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 99%

Affected Products (NVD)

Vendor	Product	Version
ruby-lang	ruby	2.2 ≤ 𝑥 ≤ 2.2.8
ruby-lang	ruby	2.3 ≤ 𝑥 ≤ 2.3.5
ruby-lang	ruby	2.4 ≤ 𝑥 ≤ 2.4.2
ruby-lang	ruby	2.5.0:preview1
debian	debian_linux	7.0
debian	debian_linux	8.0
debian	debian_linux	9.0
redhat	enterprise_linux_desktop	7.0
redhat	enterprise_linux_server	7.0
redhat	enterprise_linux_server_aus	7.4
redhat	enterprise_linux_server_aus	7.6
redhat	enterprise_linux_server_eus	7.4
redhat	enterprise_linux_server_eus	7.5
redhat	enterprise_linux_server_eus	7.6
redhat	enterprise_linux_server_tus	7.4
redhat	enterprise_linux_server_tus	7.6
redhat	enterprise_linux_workstation	7.0

𝑥

= Vulnerable software versions

Ubuntu Releases

Ubuntu Product

Codename

ruby1.9.1

artful	dne
trusty	Fixed 1.9.3.484-2ubuntu1.6 released
xenial	dne
zesty	dne

ruby2.0

artful	dne
trusty	Fixed 2.0.0.484-1ubuntu2.5 released
xenial	dne
zesty	dne

ruby2.3

artful	Fixed 2.3.3-1ubuntu1.1 released
trusty	dne
xenial	Fixed 2.3.1-2~16.04.4 released
zesty	Fixed 2.3.3-1ubuntu0.3 released

Known Exploits!

Common Weakness Enumeration

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References

http://www.securityfocus.com/bid/102204

http://www.securitytracker.com/id/1042004

https://access.redhat.com/errata/RHSA-2018:0378

https://access.redhat.com/errata/RHSA-2018:0583

https://access.redhat.com/errata/RHSA-2018:0584

https://access.redhat.com/errata/RHSA-2018:0585

https://access.redhat.com/errata/RHSA-2019:2806

https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html

https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://www.debian.org/security/2018/dsa-4259

https://www.exploit-db.com/exploits/43381/

https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/

https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/

http://www.securityfocus.com/bid/102204

http://www.securitytracker.com/id/1042004

https://access.redhat.com/errata/RHSA-2018:0378

https://access.redhat.com/errata/RHSA-2018:0583

https://access.redhat.com/errata/RHSA-2018:0584

https://access.redhat.com/errata/RHSA-2018:0585

https://access.redhat.com/errata/RHSA-2019:2806

https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html

https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://www.debian.org/security/2018/dsa-4259

https://www.exploit-db.com/exploits/43381/

https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/

https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/