TROYANOSYVIRUS
Back to CVEs

CVE-2017-17405

N/A

Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

CVE Details

CVSS v3.1 ScoreN/A
Published12/15/2017
Last Modified4/20/2025
Sourcenvd
Honeypot Sightings0

Affected Products

debian:debian_linuxredhat:enterprise_linux_desktopredhat:enterprise_linux_serverredhat:enterprise_linux_server_ausredhat:enterprise_linux_server_eusredhat:enterprise_linux_server_tusredhat:enterprise_linux_workstationruby-lang:ruby

Weaknesses (CWE)

CWE-78

References

http://www.securityfocus.com/bid/102204(cve@mitre.org)
http://www.securitytracker.com/id/1042004(cve@mitre.org)
https://access.redhat.com/errata/RHSA-2018:0378(cve@mitre.org)
https://access.redhat.com/errata/RHSA-2018:0583(cve@mitre.org)
https://access.redhat.com/errata/RHSA-2018:0584(cve@mitre.org)
https://access.redhat.com/errata/RHSA-2018:0585(cve@mitre.org)
https://access.redhat.com/errata/RHSA-2019:2806(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html(cve@mitre.org)
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html(cve@mitre.org)
https://www.debian.org/security/2018/dsa-4259(cve@mitre.org)
https://www.exploit-db.com/exploits/43381/(cve@mitre.org)
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/(cve@mitre.org)
https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/(cve@mitre.org)
http://www.securityfocus.com/bid/102204(af854a3a-2127-422b-91ae-364da2661108)
http://www.securitytracker.com/id/1042004(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0378(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0583(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0584(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2018:0585(af854a3a-2127-422b-91ae-364da2661108)
https://access.redhat.com/errata/RHSA-2019:2806(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.debian.org/security/2018/dsa-4259(af854a3a-2127-422b-91ae-364da2661108)
https://www.exploit-db.com/exploits/43381/(af854a3a-2127-422b-91ae-364da2661108)
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/(af854a3a-2127-422b-91ae-364da2661108)
https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/(af854a3a-2127-422b-91ae-364da2661108)

IOC Correlations

No correlations recorded

This product uses data from the NVD API but is not endorsed or certified by the NVD.