Command Injection Vulnerability in Ruby's Net::FTP Module
CVE-2017-17405

8.8HIGH

Key Information:

Vendor: Ruby-lang
Status: Ruby
Vendor: CVE Published:; 15 December 2017

What is CVE-2017-17405?

A command injection vulnerability exists in the Net::FTP library of Ruby versions prior to 2.4.3. This flaw arises when commands are executed from user-controlled input in FTP operations, allowing attackers to manipulate the 'localfile' argument. If this argument begins with a pipe character ('|'), any command following it will be executed, potentially leading to unauthorized access and execution of arbitrary commands. Malicious FTP servers can exploit this behavior, further compromising the security of the affected systems.

References

https://access.redhat.com/errata/RHSA-2018:0585

vendor-advisoryx_refsource_REDHAT

https://lists.debian.org/debian-lts-announce/2017/12/msg0...

mailing-listx_refsource_MLIST

https://access.redhat.com/errata/RHSA-2018:0378

vendor-advisoryx_refsource_REDHAT

EPSS Score

88% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Dec 15, 2017
Vulnerability Reserved
Dec 5, 2017

Ruby-lang

What is CVE-2017-17405?

References

EPSS Score

CVSS V3.1

Timeline