Command Injection Vulnerability in WEBrick Library from Ruby
CVE-2017-10784

8.8HIGH

Key Information:

Vendor

Ruby-lang

Status
Ruby
Vendor
CVE Published:
19 September 2017

What is CVE-2017-10784?

The WEBrick library in Ruby versions prior to 2.2.8, 2.3.x prior to 2.3.5, and 2.4.x up to 2.4.1 is susceptible to a command injection flaw. Malicious users can exploit this vulnerability by crafting user names that inject terminal emulator escape sequences into the log. This could result in arbitrary command execution by the server, posing significant security risks for applications that utilize the WEBrick server.

References

https://usn.ubuntu.com/3685-1/
vendor-advisoryx_refsource_UBUNTU
https://access.redhat.com/errata/RHSA-2018:0585
vendor-advisoryx_refsource_REDHAT
https://usn.ubuntu.com/3528-1/
vendor-advisoryx_refsource_UBUNTU

EPSS Score

16% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.