The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3
uses Kernel#open, which might allow Command Injection attacks, as
demonstrated by a Resolv::Hosts::new argument beginning with a ‘|’
character, a different vulnerability than CVE-2017-17405.
NOTE: situations with untrusted input may be highly unlikely.
CWE: CWE-74 - Improper Neutralization of Special Elements
CVSS_V3: 9.8 - CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H