vulnerability
Amazon Linux AMI: CVE-2017-17790: Security patch for ruby20, ruby22, ruby23, ruby24 (ALAS-2018-983)
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Dec 20, 2017 | Apr 6, 2018 | Apr 16, 2020 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Dec 20, 2017
Added
Apr 6, 2018
Modified
Apr 16, 2020
Description
The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.
Solutions
amazon-linux-upgrade--ruby22amazon-linux-upgrade--ruby23amazon-linux-upgrade--ruby24amazon-linux-upgrade-ruby20
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.