CVE-2017-17405: OS Command Injection
It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.
Other sources
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Ruby. Multiple issues in Ruby were addressed in this update.
There is a command injection vulnerability in Net::FTP bundled with Ruby. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
External references:
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
— Red Hat
Credit
Affected Software
Remediation
Event History
Parent advisories
This vulnerability appears in the following advisories.
Peer vulnerabilities
Found alongside the following vulnerabilities.
- CVE-2018-4295
- CVE-2018-4410
- CVE-2018-4417
- CVE-2017-12613
- CVE-2017-12618
- CVE-2018-4411
- CVE-2018-4308
- CVE-2018-4468
- CVE-2018-4126
- CVE-2018-4415
- CVE-2018-4398
- CVE-2018-4412
- CVE-2018-4153
- CVE-2018-4406
- CVE-2018-4346
- CVE-2018-4403
- CVE-2018-4423
- CVE-2018-3639
- CVE-2018-4342
- CVE-2018-4304
- CVE-2018-4426
- CVE-2018-4331
- CVE-2018-3646
- CVE-2018-4242
- CVE-2018-4394
- CVE-2018-4334
- CVE-2018-4396
- CVE-2018-4418
- CVE-2018-4350
- CVE-2018-4421
- CVE-2018-4422
- CVE-2018-4408
- CVE-2018-4402
- CVE-2018-4341
- CVE-2018-4354
- CVE-2018-4401
- CVE-2018-4371
- CVE-2018-4420
- CVE-2018-4399
- CVE-2018-4340
- CVE-2018-4419
- CVE-2018-4425
- CVE-2018-4259
- CVE-2018-4286
- CVE-2018-4287
- CVE-2018-4288
- CVE-2018-4291
- CVE-2018-4413
- CVE-2018-4407
- CVE-2018-4424
- CVE-2018-4187
- CVE-2018-4348
- CVE-2018-4389
- CVE-2018-4326
- CVE-2018-4310
- CVE-2018-3640
- CVE-2018-4369
- CVE-2018-6797
- CVE-2017-0898
- CVE-2017-10784
- CVE-2017-14033
- CVE-2017-14064
- CVE-2017-17405
- CVE-2017-17742
- CVE-2018-6914
- CVE-2018-8777
- CVE-2018-8778
- CVE-2018-8779
- CVE-2018-8780
- CVE-2018-4400
- CVE-2018-4395
- CVE-2018-4393
- CVE-2018-4203
- CVE-2018-4368
- CVE-2018-4470
- CVE-2018-4289
- CVE-2018-4268
- CVE-2018-4285
- CVE-2018-5383
- CVE-2018-4293
- CVE-2018-4269
- CVE-2018-4276
- CVE-2018-4178
- CVE-2018-4456
- CVE-2018-4283
- CVE-2018-3665
- CVE-2018-4280
- CVE-2018-4248
- CVE-2018-4277
- CVE-2018-6913
- CVE-2018-4274
Frequently Asked Questions
What is CVE-2017-17405?
CVE-2017-17405 is a vulnerability in Ruby that allows Net::FTP command injection.
What is the severity of CVE-2017-17405?
CVE-2017-17405 has a severity rating of 8.8 (critical).
How can I fix CVE-2017-17405?
To fix CVE-2017-17405, you should update to Ruby version 2.5.5-3+deb10u4 or 2.5.5-3+deb10u6 for Debian, and version 2.4.3 for Red Hat. Make sure to check the vendor's official website for the latest updates.
Where can I find more information about CVE-2017-17405?
You can find more information about CVE-2017-17405 on the official Ruby website and the associated GitHub commits. Links: [Ruby website](https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/), [GitHub commit 1](https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431), [GitHub commit 2](https://github.com/ruby/ruby/commit/1cfe43fd85c66a9e2b5068480b3e043c31e6b8ca)