Command Injection Vulnerability in Ruby Library
CVE-2017-17790

9.8CRITICAL

Key Information:

Vendor

Ruby-lang

Status
Ruby
Vendor
CVE Published:
20 December 2017

What is CVE-2017-17790?

The lazy_initialize function in the lib/resolv.rb file of Ruby versions up to 2.4.3 is vulnerable to command injection. This occurs when untrusted input is passed as arguments, particularly if they begin with a '|' character. This flaw can be exploited to execute arbitrary commands on the host system, potentially compromising the security of applications relying on this functionality. Users are advised to implement input validation and update to the latest versions to mitigate this risk.

References

https://access.redhat.com/errata/RHSA-2018:0585
vendor-advisoryx_refsource_REDHAT
https://lists.debian.org/debian-lts-announce/2017/12/msg0...
mailing-listx_refsource_MLIST
https://access.redhat.com/errata/RHSA-2018:0378
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.