Lucene search

RubySecRUBY:WEBRICK-2017-10784

HistoryMay 13, 2022 - 9:00 p.m.

WEBrick RCE Vulnerability

2022-05-1321:00:00

RubySec

access.redhat.com

118

webrick

rce

vulnerability

ruby

library

remote attack

terminal emulator

crafted user name

arbitrary commands

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

JSON

The Basic authentication code in WEBrick library in Ruby before 2.2.8,
2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal
emulator escape sequences into its log and possibly execute arbitrary commands via
a crafted user name.

Affected configurations

Vulners

Node

rubywebrickRange≤1.4.0

VendorProductVersionCPE
rubywebrick*cpe:2.3:a:ruby:webrick:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ruby	webrick	*	cpe:2.3:a:ruby:webrick::::::::

References

access.redhat.com/errata/RHSA-2017:3485

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

JSON

Related for RUBY:WEBRICK-2017-10784