#VU9718 Command injection in Ruby


Published: 2021-06-17

Vulnerability identifier: #VU9718

Vulnerability risk: High

CVSSv3.1: 9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2017-17405

CWE-ID: CWE-77

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
Ruby
Universal components / Libraries / Scripting languages

Vendor: Ruby

Description
The vulnerability allows a remote attacker to execute arbitrary commands on the target system.

The weakness exists due to flaws in the Net::FTP. A remote attacker can inject and execute arbitrary commands with elevated privileges.

Successful exploitation of the vulnerability may result in system compromise.

Mitigation
Update to version 2.2.9, 2.3.6, 2.4.3 or later.

Vulnerable software versions

Ruby: 2.2.0 - 2.4.2

External links
http://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.


Latest bulletins with this vulnerability


Multiple vulnerabilities in Dell EMC Data Protection Search
Multiple vulnerabilities in Dell EMC Integrated Data Protection Appliance
Red Hat update for ruby
Multiple vulnerabilities in Apple MacOS
Debian update for ruby2.3
Red Hat Software Collections update for rh-ruby23-ruby
Red Hat Software Collections update for rh-ruby24-ruby
Red Hat Software Collections update for rh-ruby22-ruby
Red Hat update for ruby
Gentoo update for Ruby