Public exploit available

Public proof-of-concept or exploit code exists (ExploitDB / Metasploit / Nuclei).

CVE-2017-17405 — OS Command Injection in Ruby

CWE-78 — OS Command Injection CWE-20 — Improper Input Validation CWE-77 — Command Injection12 documents9 sources

Severity

8.8HIGHNVD

EPSS

88.6%

top 0.49%

CISA KEV

Not in KEV

Exploit

PoC available

Public exploit / PoC exists

Affected products

Ruby-lang Ruby Debian Linux Redhat Enterprise Linux Desktop +5 more

Timeline

PublishedDec 15

Latest updateMay 13

Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages5 packages

▶Alpineruby-lang/ruby< 2.4.3-r0+20

▶NVDruby-lang/ruby2.2 — 2.2.8+3

▶NVDredhat/enterprise_linux_server7.0

▶NVDredhat/enterprise_linux_desktop7.0

▶NVDredhat/enterprise_linux_workstation7.0

Also affects: Debian Linux 7.0, 8.0, 9.0, Enterprise Linux 7.4, 7.6, 7.5

Patches

Patch: www.ruby-lang.org ↗Patch: www.ruby-lang.org ↗

🔴Vulnerability Details

GHSA

GHSA-q23r-c9rf-97q3: Ruby before 2↗2022-05-13

▶

CVEList

CVE-2017-17405: Ruby before 2↗2017-12-15

▶

OSV

CVE-2017-17405: Ruby before 2↗2017-12-15

▶

💥Exploits & PoCs

Exploit-DB

Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - 'NET::Ftp' Command Injection↗2017-12-02

▶

📋Vendor Advisories

Apple

CVE-2017-17405: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra↗2018-10-30

▶

Apple

CVE-2017-17405: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan↗2018-07-09

▶

Ubuntu

Ruby vulnerability↗2018-01-04

▶

Red Hat

ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution↗2017-12-19

▶

Red Hat

ruby: Command injection vulnerability in Net::FTP↗2017-12-14

▶

💬Community

Bugzilla

CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution↗2017-12-21

▶

Bugzilla

CVE-2017-17405 ruby: Command injection vulnerability in Net::FTP↗2017-12-14

▶