The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a ‘|’ character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

References

access.redhat.com/errata/RHSA-2018:0378

access.redhat.com/errata/RHSA-2018:0583

access.redhat.com/errata/RHSA-2018:0584

access.redhat.com/errata/RHSA-2018:0585

github.com/ruby/ruby/pull/1777

lists.debian.org/debian-lts-announce/2017/12/msg00024.html

lists.debian.org/debian-lts-announce/2017/12/msg00025.html

lists.debian.org/debian-lts-announce/2018/07/msg00012.html

www.debian.org/security/2018/dsa-4259

openvas 19

debian 4

nessus 44

osv 6

prion 2

nvd 2

ubuntucve 2

redhat 5

mageia 1

debiancve 2

cve 2

photon 8

freebsd 1

gentoo 1

seebug 1

exploitpack 1

veracode 2

redhatcve 2

checkpoint_advisories 1

hackerone 1

ubuntu 2

zdt 1

slackware 1

cvelist 1

alpinelinux 1

exploitdb 1

rubygems 1

centos 1

oraclelinux 1

ibm 1

fedora 2

amazon 2

apple 4

openvas

Mageia: Security Advisory (MGASA-2017-0486)

2022-01-28 00:00:00

Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2018-1030)

2020-01-23 00:00:00

Debian: Security Advisory (DLA-1222-1)

2023-03-08 00:00:00

debian

[SECURITY] [DLA 1222-1] ruby1.8 security update

2017-12-25 14:56:22

[SECURITY] [DLA 1221-1] ruby1.9.1 security update

2017-12-25 14:56:39

[SECURITY] [DSA 4259-1] ruby2.3 security update

2018-07-31 21:40:30

nessus

Debian DLA-1222-1 : ruby1.8 security update

2017-12-26 00:00:00

EulerOS 2.0 SP1 : ruby (EulerOS-SA-2018-1029)

2018-01-29 00:00:00

Debian DLA-1221-1 : ruby1.9.1 security update

2017-12-26 00:00:00

osv

ruby1.8 - security update

2017-12-24 00:00:00

ruby1.9.1 - security update

2017-12-24 00:00:00

CVE-2017-17790

2017-12-20 09:29:01

prion

Command injection

2017-12-20 09:29:00

Command injection

2017-12-15 09:29:00

nvd

CVE-2017-17790

2017-12-20 09:29:01

CVE-2017-17405

2017-12-15 09:29:00

ubuntucve

CVE-2017-17790

2017-12-20 00:00:00

CVE-2017-17405

2017-12-15 00:00:00

redhat

(RHSA-2018:0584) Important: rh-ruby24-ruby security, bug fix, and enhancement update

2018-03-26 09:12:41

(RHSA-2019:2806) Important: ruby security update

2019-09-17 10:31:23

(RHSA-2018:0378) Important: ruby security update

2018-02-28 16:24:33

mageia

Updated ruby packages fix security vulnerabilities

2017-12-31 18:51:06

debiancve

CVE-2017-17790

2017-12-20 09:29:01

CVE-2017-17405

2017-12-15 09:29:00

cve

CVE-2017-17790

2017-12-20 09:29:01

CVE-2017-17405

2017-12-15 09:29:00

photon

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0100

2018-01-18 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-1.0-0098-A

2018-01-11 00:00:00

Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2018-2.0-0011-A

2018-01-11 00:00:00

freebsd

ruby -- Command injection vulnerability in Net::FTP

2017-12-14 00:00:00

gentoo

Ruby: Command injection

2018-02-20 00:00:00

seebug

Command injection vulnerability in Net::FTP(CVE-2017-17405)

2017-12-18 00:00:00

exploitpack

Ruby 2.2.8 2.3.5 2.4.2 2.5.0-preview1 - NET::Ftp Command Injection

2017-12-02 00:00:00

veracode

Command Injection

2019-05-16 02:49:49

Arbitrary Command Execution

2019-01-15 09:21:10

redhatcve

CVE-2017-17790

2019-10-08 04:44:54

CVE-2017-17405

2017-12-14 21:50:01

checkpoint_advisories

Ruby Net FTP Command Injection (CVE-2017-17405) - Ver2

2018-04-15 00:00:00

hackerone

Ruby: NET::Ftp allows command injection in filenames

2017-12-02 11:33:02

ubuntu

Ruby vulnerability

2018-01-04 00:00:00

Ruby vulnerabilities

2018-01-10 00:00:00

zdt

Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - NET::Ftp Command Injection Exploit

2017-12-22 00:00:00

slackware

[slackware-security] ruby

2017-12-20 06:38:26

cvelist

CVE-2017-17405

2017-12-15 09:00:00

alpinelinux

CVE-2017-17405

2017-12-15 09:29:00

exploitdb

Ruby < 2.2.8 / < 2.3.5 / < 2.4.2 / < 2.5.0-preview1 - 'NET::Ftp' Command Injection

2017-12-02 00:00:00

rubygems

The lazy_initialize function in lib/resolv.rb in Ruby

2017-12-19 21:00:00

centos

ruby, rubygem, rubygems security update

2018-03-10 11:53:01

oraclelinux

ruby security update

2018-02-28 00:00:00

ibm

Security Bulletin: Vulnerabilities in Ruby affect PowerKVM

2018-06-18 01:42:18

fedora

[SECURITY] Fedora 26 Update: ruby-2.4.3-87.fc26

2018-03-11 20:00:06

[SECURITY] Fedora 27 Update: ruby-2.4.3-87.fc27

2018-03-02 16:26:05

amazon

Medium: ruby

2018-04-05 16:06:00

Medium: ruby20, ruby22, ruby23, ruby24

2018-04-04 23:18:00

apple

About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan - Apple Support

2020-07-28 05:29:11

About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan

2018-07-09 00:00:00

About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra - Apple Support

2020-07-27 08:14:47

Solutions

Vulnerabilities intelligence
Perimeter control tool
Linux scanner
Windows scanner
Developers SDK
Security Intelligence feeds

Database

Vulnerabilities
Exploits
Security News
BugBounty
Wild Exploited
Top Vulnerabilities
CVE Feed

Resources

Statics & Sources
Plugins
API docs
FAQ
Blog
Glossary

Company

About
Contacts
Pricing
EULA
Privacy Policy
Submission Policy
OpenSource

@2024 Vulners Inc

7.8 High

AI Score

Confidence

Low

0.895 High

EPSS

Percentile

98.8%

JSON

Related for CVELIST:CVE-2017-17790