Vulnerability & Exploit Database

Back to search

FreeBSD: VID-DD644964-E10E-11E7-8097-0800271D4B9C (CVE-2017-17405): ruby -- Command injection vulnerability in Net::FTP

Severity CVSS Published Added Modified
9 (AV:N/AC:M/Au:N/C:C/I:C/A:C) December 14, 2017 December 20, 2017 January 17, 2018


Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Free Nexpose Download

Discover, prioritize, and remediate security risks today!

 Download now




Related Vulnerabilities