Vulnerability CVE-2017-17405: Information
Description
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Severity: HIGH (8.8) Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
ruby | sisyphus | 2.5.0-alt1 | 3.1.4-alt4.3 | ALT-PU-2018-1418-1 | 201383 | Fixed |
ruby | p10 | 2.5.0-alt1 | 3.1.4-alt2.p10.1 | ALT-PU-2018-1418-1 | 201383 | Fixed |
ruby | p9 | 2.5.0-alt1 | 2.5.9-alt1 | ALT-PU-2018-1418-1 | 201383 | Fixed |
ruby | p8 | 2.5.1-alt0.M80P.1 | 2.5.1-alt0.M80P.1 | ALT-PU-2018-1698-1 | 203032 | Fixed |
ruby | c10f1 | 2.5.0-alt1 | 2.7.4-alt2.2.1 | ALT-PU-2018-1418-1 | 201383 | Fixed |
ruby | c9f2 | 2.5.0-alt1 | 2.7.6-alt0.1.c9f2 | ALT-PU-2018-1418-1 | 201383 | Fixed |
ruby | c7 | 2.4.3-alt0.M70C.1 | 2.4.4-alt0.M70C.1 | ALT-PU-2018-1228-1 | 200650 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/ |
|
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ |
|
102204 |
|
43381 |
|
[debian-lts-announce] 20171225 [SECURITY] [DLA 1221-1] ruby1.9.1 security update |
|
[debian-lts-announce] 20171225 [SECURITY] [DLA 1222-1] ruby1.8 security update |
|
RHSA-2018:0378 |
|
RHSA-2018:0585 |
|
RHSA-2018:0584 |
|
RHSA-2018:0583 |
|
[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security update |
|
DSA-4259 |
|
1042004 |
|
RHSA-2019:2806 |