CVE-2017-17405: Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a…

high8.8CVSS 3.0

AVNACLPRNUIRSUCHIHAH

EXPLOIT

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Affected

40 ranges· showing 25

Vendor	Product	Version range	Fixed in
apple	macos_high_sierra_10.13.6_security_update_2018-004_sierra_security_update_2018-0	—	—
apple	macos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
debian	debian_linux	—	—
redhat	enterprise_linux_desktop	—	—
redhat	enterprise_linux_server	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_aus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_eus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_server_tus	—	—
redhat	enterprise_linux_workstation	—	—
ruby-lang	ruby	—	—
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0
ruby-lang	ruby	>= 0 < 2.4.3-r0	2.4.3-r0

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

osv8.8HIGH