#VU10848 Command injection in Ruby


Published: 2018-03-06

Vulnerability identifier: #VU10848

Vulnerability risk: Low

CVSSv3.1: 6.4 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2017-17790

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ruby
Universal components / Libraries / Scripting languages

Vendor: Ruby

Description
The vulnerability allows a remote attacker to execute arbitrary command on the target system.

The weakness exists in the lazy_initialize function due to command injection. A remote attacker can send a specially crafted request, inject and execute arbitrary commands.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ruby: 2.4.3

External links
http://github.com/ruby/ruby/pull/1777

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Protection Search
Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance
Debian update for ruby2.3
Amazon Linux AMI update for ruby20, ruby22, ruby23, ruby24
Red Hat Software Collections update for rh-ruby23-ruby
Red Hat Software Collections update for rh-ruby24-ruby
Red Hat Software Collections update for rh-ruby22-ruby
Red Hat update for ruby
Ubuntu update for Ruby