CVE-2017-17405

Name of the Vulnerable Software and Affected Versions: Ruby versions prior to 2.4.3

Description: The issue is related to command injection in Net::FTP. The get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile methods use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. This could allow malicious FTP servers to cause arbitrary command execution by manipulating the localfile argument, which defaults to File.basename(remotefile). The vulnerability is due to an input filtering error.

Recommendations: For Ruby versions prior to 2.4.3, update to version 2.4.3 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the localfile argument with the "|" pipe character in the affected Net::FTP methods until a patch is applied. Restrict access to the Net::FTP class to minimize the risk of exploitation. Avoid using the localfile argument in the affected API endpoints until the issue is resolved.