Vulnerability & Exploit Database

Back to search

FreeBSD: VID-DD644964-E10E-11E7-8097-0800271D4B9C (CVE-2017-17405): ruby -- Command injection vulnerability in Net::FTP

Severity CVSS Published Added Modified
9 (AV:N/AC:M/Au:N/C:C/I:C/A:C) December 14, 2017 December 20, 2017 January 17, 2018

Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Scan For This Vulnerability

Use our top-rated tool to discover, prioritize, and remediate your vulnerabilities

 Free InsightVM Trial

References

Solution

freebsd-upgrade-package-ruby

Related Vulnerabilities