CVE-2017-17405

Current Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Referenced by CVEs:CVE-2017-17790

Basic Data

PublishedDecember 15, 2017
Last ModifiedSeptember 19, 2019
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-78
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score9.3
SeverityHIGH
Exploitability Score8.6
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

CVSS 3 - Version3.0
CVSS 3 - Vector StringCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVSS 3 - Attack VectorNETWORK
CVSS 3 - Attack ComplexityLOW
CVSS 3 - Privileges RequiredNONE
CVSS 3 - User InteractionREQUIRED
CVSS 3 - ScopeUNCHANGED
CVSS 3 - Confidentiality ImpactHIGH
CVSS 3 - Integrity ImpactHIGH
CVSS 3 - Availability ImpactHIGH
CVSS 3 - Base Score8.8
CVSS 3 - Base SeverityHIGH
Exploitability Score2.8
Base SeverityHIGH

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRuby-langRuby********2.22.2.8
    2.3ApplicationRuby-langRuby********2.32.3.5
    2.3ApplicationRuby-langRuby********2.42.4.2
    2.3ApplicationRuby-langRuby2.5.0preview1******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux7.0*******
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Server Aus7.4*******
    2.3OSRedhatEnterprise Linux Server Aus7.6*******
    2.3OSRedhatEnterprise Linux Server Eus7.4*******
    2.3OSRedhatEnterprise Linux Server Eus7.5*******
    2.3OSRedhatEnterprise Linux Server Eus7.6*******
    2.3OSRedhatEnterprise Linux Server Tus7.4*******
    2.3OSRedhatEnterprise Linux Server Tus7.6*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******

Vulnerable Software List

VendorProductVersions
Ruby-lang Ruby *, 2.5.0
Debian Debian Linux 7.0, 8.0, 9.0
Redhat Enterprise Linux Workstation 7.0
Redhat Enterprise Linux Desktop 7.0
Redhat Enterprise Linux Server Aus 7.4, 7.6
Redhat Enterprise Linux Server Tus 7.4, 7.6
Redhat Enterprise Linux Server Eus 7.4, 7.5, 7.6
Redhat Enterprise Linux Server 7.0

References

NameSourceURLTags
102204http://www.securityfocus.com/bid/102204BIDThird Party Advisory VDB Entry
1042004http://www.securitytracker.com/id/1042004SECTRACKThird Party Advisory VDB Entry
RHSA-2018:0378https://access.redhat.com/errata/RHSA-2018:0378REDHATThird Party Advisory
RHSA-2018:0583https://access.redhat.com/errata/RHSA-2018:0583REDHATThird Party Advisory
RHSA-2018:0584https://access.redhat.com/errata/RHSA-2018:0584REDHATThird Party Advisory
RHSA-2018:0585https://access.redhat.com/errata/RHSA-2018:0585REDHATThird Party Advisory
RHSA-2019:2806https://access.redhat.com/errata/RHSA-2019:2806REDHAT
[debian-lts-announce] 20171225 [SECURITY] [DLA 1222-1] ruby1.8 security updatehttps://lists.debian.org/debian-lts-announce/2017/12/msg00024.htmlMLISTMailing List Third Party Advisory
[debian-lts-announce] 20171225 [SECURITY] [DLA 1221-1] ruby1.9.1 security updatehttps://lists.debian.org/debian-lts-announce/2017/12/msg00025.htmlMLISTMailing List Third Party Advisory
[debian-lts-announce] 20180714 [SECURITY] [DLA 1421-1] ruby2.1 security updatehttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlMLISTMailing List Third Party Advisory
DSA-4259https://www.debian.org/security/2018/dsa-4259DEBIANThird Party Advisory
43381https://www.exploit-db.com/exploits/43381/EXPLOIT-DBExploit Third Party Advisory VDB Entry
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/CONFIRMVendor Advisory
https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/CONFIRMPatch Release Notes Vendor Advisory