Published: 20/12/2017 Updated: 03/08/2018

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9

VMScore: 668

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

The lazy_initialize function in lib/resolv.rb in Ruby up to and including 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ruby-lang ruby 2.5.0
ruby-lang ruby

Several security issues were fixed in Ruby ...

Debian Bug report logs - #884878 ruby25: CVE-2017-17790: fixed command injection Package: src:ruby25; Maintainer for src:ruby25 is Debian Ruby Team <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 20 Dec 2017 21:33:02 UTC Severity: important Ta ...

Synopsis Important: rh-ruby23-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for rh-ruby23-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...

Synopsis Important: ruby security update Type/Severity Security Advisory: Important Topic An update for ruby is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which ...

Synopsis Important: rh-ruby22-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for rh-ruby22-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...

Synopsis Important: rh-ruby24-ruby security, bug fix, and enhancement update Type/Severity Security Advisory: Important Topic An update for rh-ruby24-ruby is now available for Red Hat Software CollectionsRed Hat Product Security has rated this update as having a security impact of Important A Common Vulne ...

Several vulnerabilities have been discovered in the interpreter for the Ruby language, which may result in incorrect processing of HTTP/FTP, directory traversal, command injection, unintended socket creation or information disclosure This update also fixes several issues in RubyGems which could allow an attacker to use specially crafted gem files ...

Path traversal when writing to a symlinked basedir outside of the rootRubyGems version Ruby 22 series: 229 and earlier, Ruby 23 series: 236 and earlier, Ruby 24 series: 243 and earlier, Ruby 25 series: 250 and earlier, prior to trunk revision 62422 contains a Directory Traversal vulnerability in install_location function of packagerb t ...

The "lazy_initialize" function in lib/resolvrb did not properly process certain filenames A remote attacker could possibly exploit this flaw to inject and execute arbitrary commands ...

CWE-74 https://github.com/ruby/ruby/pull/1777 https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html https://access.redhat.com/errata/RHSA-2018:0378 https://access.redhat.com/errata/RHSA-2018:0585 https://access.redhat.com/errata/RHSA-2018:0584 https://access.redhat.com/errata/RHSA-2018:0583 https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html https://www.debian.org/security/2018/dsa-4259 https://usn.ubuntu.com/3528-1/https://nvd.nist.gov

Get Started

CVE-2017-17790

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect