vulnerability

Oracle Linux: CVE-2017-17790: ELSA-2018-0378: ruby security update (IMPORTANT) (Multiple Advisories)

Try Surface Command
Back to search
Severity
8
CVSS
(AV:N/AC:H/Au:N/C:C/I:C/A:C)
Published
2017-12-19
Added
2018-03-01
Modified
2024-11-29

Description

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.
The "lazy_initialize" function in lib/resolv.rb did not properly process certain filenames. A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands.

Solution(s)

oracle-linux-upgrade-rubyoracle-linux-upgrade-ruby-develoracle-linux-upgrade-ruby-docoracle-linux-upgrade-rubygem-bigdecimaloracle-linux-upgrade-rubygem-io-consoleoracle-linux-upgrade-rubygem-jsonoracle-linux-upgrade-rubygem-minitestoracle-linux-upgrade-rubygem-psychoracle-linux-upgrade-rubygem-rakeoracle-linux-upgrade-rubygem-rdocoracle-linux-upgrade-rubygemsoracle-linux-upgrade-rubygems-develoracle-linux-upgrade-ruby-irboracle-linux-upgrade-ruby-libsoracle-linux-upgrade-ruby-tcltk

References

Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.

Try it today