Home

CVE-2017-17405

Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the | pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Risk Information

Base Score
8.8
MODERATE
Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score
Exploitation Probability
88.646

Associated Vulnerability

VulnerabilityOS Platform
Multiple vulnerabilities are fixed in macOS Mojave 10.14.1Mac
Multiple vulnerabilities are fixed in macOS High Sierra 10.13.6 - Reboot AutomaticallyMac
Multiple vulnerabilities are fixed in macOS High Sierra 10.13.6 Combo Update - Reboot AutomaticallyMac
Object-oriented scripting language (USN-3365-1) ruby2.3_2.3.3-1ubuntu0.3_i386.debLinux
Object-oriented scripting language (USN-3365-1) ruby2.3_2.3.3-1ubuntu0.3_amd64.debLinux
Object-oriented scripting language (USN-3365-1) libruby2.3_2.3.3-1ubuntu0.3_i386.debLinux
Object-oriented scripting language (USN-3365-1) libruby2.3_2.3.3-1ubuntu0.3_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby2.0_2.0.0.484-1ubuntu2.5_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby2.0_2.0.0.484-1ubuntu2.5_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby2.3_2.3.3-1ubuntu0.3_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby2.3_2.3.3-1ubuntu0.3_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby2.3_2.3.3-1ubuntu1.1_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby2.3_2.3.3-1ubuntu1.1_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby1.9.1_1.9.3.484-2ubuntu1.6_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby1.9.1_1.9.3.484-2ubuntu1.6_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) ruby1.9.3_1.9.3.484-2ubuntu1.6_all.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby2.0_2.0.0.484-1ubuntu2.5_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby2.0_2.0.0.484-1ubuntu2.5_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby2.3_2.3.3-1ubuntu0.3_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby2.3_2.3.3-1ubuntu0.3_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby2.3_2.3.3-1ubuntu1.1_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby2.3_2.3.3-1ubuntu1.1_amd64.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby1.9.1_1.9.3.484-2ubuntu1.6_i386.debLinux
Interpreter of object-oriented scripting language Ruby (USN-3515-1) libruby1.9.1_1.9.3.484-2ubuntu1.6_amd64.debLinux
ruby2.3 security update(DSA-4259-1) ruby2.3_2.3.3-1+deb9u3_i386.debLinux
ruby2.3 security update(DSA-4259-1) ruby2.3_2.3.3-1+deb9u3_amd64.debLinux
Ruby security update (CESA-2018:0378) ruby-2.0.0.648-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) ruby-doc-2.0.0.648-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) ruby-irb-2.0.0.648-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) rubygems-2.0.14.1-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) ruby-libs-2.0.0.648-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) ruby-libs-2.0.0.648-33.el7_4.i686.rpmLinux
Ruby security update (CESA-2018:0378) ruby-devel-2.0.0.648-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-json-1.7.7-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-rake-0.9.6-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-rdoc-4.0.0-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-psych-2.0.0-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) rubygems-devel-2.0.14.1-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-minitest-4.3.2-33.el7_4.noarch.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpmLinux
Ruby security update (CESA-2018:0378) rubygem-io-console-0.4.2-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-2.0.0.648-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-devel-2.0.0.648-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-doc-2.0.0.648-33.el7_4.noarch.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-irb-2.0.0.648-33.el7_4.noarch.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-libs-2.0.0.648-33.el7_4.i686.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-libs-2.0.0.648-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update ruby-tcltk-2.0.0.648-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-bigdecimal-1.2.0-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-io-console-0.4.2-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-json-1.7.7-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-minitest-4.3.2-33.el7_4.noarch.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-psych-2.0.0-33.el7_4.x86_64.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-rake-0.9.6-33.el7_4.noarch.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygem-rdoc-4.0.0-33.el7_4.noarch.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygems-2.0.14.1-33.el7_4.noarch.rpmLinux
(RHSA-2018:0378) Important: ruby security update rubygems-devel-2.0.14.1-33.el7_4.noarch.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) libruby2_1-2_1-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) libruby2_1-2_1-debuginfo-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-debuginfo-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-debugsource-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-stdlib-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP4 ) ruby2.1-stdlib-debuginfo-2.1.9-19.3.2.x86_64.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) libruby2_1-2_1-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) libruby2_1-2_1-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-debugsource-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-stdlib-2.1.9-19.3.2.x86_64_SP5.rpmLinux
SUSE-SU-2020:1570-1(SUSE Linux Enterprise Server 12-SP5 ) ruby2.1-stdlib-debuginfo-2.1.9-19.3.2.x86_64_SP5.rpmLinux
Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) Vulnerability (CVE-2017-17405)NCM

Patch Details

Click to see the patches provided by ManageEngine for this CVE
Patch IDPatch Description
PATCH-602004macOS Mojave 10.14.6
PATCH-601562macOS High Sierra 10.13.6 - Reboot Automatically
PATCH-601563macOS High Sierra 10.13.6 Combo Update - Reboot Automatically

References

https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234