Command Injection Vulnerability in Ruby's Net::FTP Module
CVE-2017-17405

8.8HIGH

Key Information:

Vendor

Ruby-lang

Status
Ruby
Vendor
CVE Published:
15 December 2017

What is CVE-2017-17405?

A command injection vulnerability exists in the Net::FTP library of Ruby versions prior to 2.4.3. This flaw arises when commands are executed from user-controlled input in FTP operations, allowing attackers to manipulate the 'localfile' argument. If this argument begins with a pipe character ('|'), any command following it will be executed, potentially leading to unauthorized access and execution of arbitrary commands. Malicious FTP servers can exploit this behavior, further compromising the security of the affected systems.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://access.redhat.com/errata/RHSA-2018:0585
vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2017/12/msg0...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:0378
vendor-advisoryx_refsource_REDHAT

EPSS Score

88% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.