Vulnerability & Exploit Database

Back to search

FreeBSD: VID-DD644964-E10E-11E7-8097-0800271D4B9C (CVE-2017-17405): ruby -- Command injection vulnerability in Net::FTP

Severity CVSS Published Added Modified
9 (AV:N/AC:M/Au:N/C:C/I:C/A:C) December 13, 2017 December 19, 2017 January 16, 2018

Description

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now

References

Solution

freebsd-upgrade-package-ruby

Related Vulnerabilities