PT-2017-3904 · Ruby+5 · Ruby+5

Philcryoport

Publicado

2017-12-20

Atualizado

2020-06-09

CVE-2017-17790

CVSS v2.0

Crítica

Vetor

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.4.4

Description The issue is related to the lazy initialize function in lib/resolv.rb, which may allow command injection attacks due to the use of Kernel#open. This could be exploited by passing a Resolv::Hosts::new argument starting with a '|' character. The vulnerability is more likely to be exploited in situations where untrusted input is processed.

Recommendations For Ruby versions prior to 2.4.4, update to a version that contains a fix for this issue. As a temporary workaround, consider avoiding the use of untrusted input in the Resolv::Hosts::new argument to minimize the risk of exploitation.

Exploit

Correção

Special Elements Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-74

Identificadores relacionados

ALT-PU-2018-1418

BDU:2019-04563

CESA-2018_0378

CVE-2017-17790

DLA-1221-1

DLA-1222-1

DLA-1421-1

DSA-4259-1

MGASA-2017-0486

RHSA-2018:0378

RHSA-2018:0583

RHSA-2018:0584

RHSA-2018:0585

RHSA-2018_0378

SUSE-SU-2020:1570-1

SUSE-SU-2020_1570-1

USN-3528-1

Produtos afetados

Alt Linux

Centos

Red Hat

Ruby

Suse

Ubuntu

PT-2017-3904 · Ruby+5 · Ruby+5

CVE-2017-17790

Enumeração de Fraquezas

Identificadores relacionados

Produtos afetados

Referências · 113