CVE-2017-10784Improper Authentication in Webrick

CWE-287Improper AuthenticationCWE-117Improper Output Neutralization for Logs15 documents8 sources
Severity
8.8HIGHNVD
EPSS
1.4%
top 19.55%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Ruby-lang RubyRuby-lang Webrick
Timeline
PublishedSep 19
Latest updateMay 14

Description

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

RubyGemsruby-lang/webrick< 1.4.0
Alpineruby-lang/ruby< 2.4.2-r0+20
NVDruby-lang/ruby2.2.7+7

Patches

Patch: www.ruby-lang.orgPatch: www.ruby-lang.orgPatch: www.ruby-lang.org

🔴Vulnerability Details

6
GHSA
WEBrick RCE Vulnerability2022-05-14
OSV
WEBrick RCE Vulnerability2022-05-14
OSV
ruby1.9.1, ruby2.3 vulnerabilities2018-01-10
OSV
ruby1.9.1 vulnerabilities2017-10-05
CVEList
CVE-2017-10784: The Basic authentication code in WEBrick library in Ruby before 22017-09-19

📋Vendor Advisories

6
Apple
CVE-2017-10784: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra2018-10-30
Apple
CVE-2017-10784: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan2018-07-09
Ubuntu
Ruby vulnerabilities2018-06-13
Ubuntu
Ruby vulnerabilities2018-01-10
Ubuntu
Ruby vulnerabilities2017-10-05

💬Community

2
Bugzilla
CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 ruby: various flaws [fedora-all]2017-09-15
Bugzilla
CVE-2017-10784 ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick2017-09-15
CVE-2017-10784 — Improper Authentication in Webrick | cvebase