CVE-2017-17790Injection in Ruby

CWE-74InjectionCWE-77Command Injection8 documents7 sources
Severity
9.8CRITICALNVD
CNA8.8OSV8.8
EPSS
4.7%
top 10.67%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Ruby-lang Ruby
Timeline
PublishedDec 20
Latest updateMay 14

Description

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages1 packages

NVDruby-lang/ruby2.22.2.8+3

🔴Vulnerability Details

3
GHSA
GHSA-47cm-jxff-w8wg: The lazy_initialize function in lib/resolv2022-05-14
OSV
CVE-2017-17790: The lazy_initialize function in lib/resolv2017-12-20
CVEList
CVE-2017-17790: The lazy_initialize function in lib/resolv2017-12-20

📋Vendor Advisories

2
Ubuntu
Ruby vulnerabilities2018-01-10
Red Hat
ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution2017-12-19

💬Community

2
Bugzilla
CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution [fedora-all]2017-12-21
Bugzilla
CVE-2017-17790 ruby: Command injection in lib/resolv.rb:lazy_initialize() allows arbitrary code execution2017-12-21
CVE-2017-17790 — Injection in Ruby-lang Ruby | cvebase