CVE-2017-17405

2017-12-1500:00:00

ubuntu.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.895 High

EPSS

Percentile

98.7%

JSON

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get,
getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use
Kernel#open to open a local file. If the localfile argument starts with the
“|” pipe character, the command following the pipe character is executed.
The default value of localfile is File.basename(remotefile), so malicious
FTP servers could cause arbitrary command execution.

Bugs

<https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884438>

OSVersionArchitecturePackageVersionFilename
ubuntu14.04noarchruby1.9.1< 1.9.3.484-2ubuntu1.6UNKNOWN
ubuntu14.04noarchruby2.0< 2.0.0.484-1ubuntu2.5UNKNOWN
ubuntu17.10noarchruby2.3< 2.3.3-1ubuntu1.1UNKNOWN
ubuntu16.04noarchruby2.3< 2.3.1-2~16.04.4UNKNOWN
ubuntu17.04noarchruby2.3< 2.3.3-1ubuntu0.3UNKNOWN

OS	Version	Architecture	Package	Version	Filename
ubuntu	14.04	noarch	ruby1.9.1	< 1.9.3.484-2ubuntu1.6	UNKNOWN
ubuntu	14.04	noarch	ruby2.0	< 2.0.0.484-1ubuntu2.5	UNKNOWN
ubuntu	17.10	noarch	ruby2.3	< 2.3.3-1ubuntu1.1	UNKNOWN
ubuntu	16.04	noarch	ruby2.3	< 2.3.1-2~16.04.4	UNKNOWN
ubuntu	17.04	noarch	ruby2.3	< 2.3.3-1ubuntu0.3	UNKNOWN