First published: Thu Dec 14 2017(Updated: )
It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.
Credit: CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ruby | <0:2.0.0.648-33.el7_4 | 0:2.0.0.648-33.el7_4 |
redhat/ruby | <0:2.0.0.648-30.el7_3 | 0:2.0.0.648-30.el7_3 |
redhat/rh-ruby22-ruby | <0:2.2.9-19.el6 | 0:2.2.9-19.el6 |
redhat/rh-ruby24-ruby | <0:2.4.3-90.el6 | 0:2.4.3-90.el6 |
redhat/rh-ruby23-ruby | <0:2.3.6-67.el6 | 0:2.3.6-67.el6 |
redhat/rh-ruby22-ruby | <0:2.2.9-19.el7 | 0:2.2.9-19.el7 |
redhat/rh-ruby24-ruby | <0:2.4.3-90.el7 | 0:2.4.3-90.el7 |
redhat/rh-ruby23-ruby | <0:2.3.6-67.el7 | 0:2.3.6-67.el7 |
redhat/ruby | <2.2.9 | 2.2.9 |
redhat/ruby | <2.3.6 | 2.3.6 |
redhat/ruby | <2.4.3 | 2.4.3 |
redhat/ruby | <2.5.0 | 2.5.0 |
Ruby-lang Ruby | >=2.2<=2.2.8 | |
Ruby-lang Ruby | >=2.3<=2.3.5 | |
Ruby-lang Ruby | >=2.4<=2.4.2 | |
Ruby-lang Ruby | =2.5.0-preview1 | |
Debian Debian Linux | =7.0 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.4 | |
Redhat Enterprise Linux Server Aus | =7.6 | |
Redhat Enterprise Linux Server Eus | =7.4 | |
Redhat Enterprise Linux Server Eus | =7.5 | |
Redhat Enterprise Linux Server Eus | =7.6 | |
Redhat Enterprise Linux Server Tus | =7.4 | |
Redhat Enterprise Linux Server Tus | =7.6 | |
Redhat Enterprise Linux Workstation | =7.0 | |
Apple macOS Mojave | <10.14.1 | 10.14.1 |
Apple High Sierra | ||
Apple Sierra | ||
debian/ruby2.5 | 2.5.5-3+deb10u4 2.5.5-3+deb10u6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2017-17405 is a vulnerability in Ruby that allows Net::FTP command injection.
CVE-2017-17405 has a severity rating of 8.8 (critical).
To fix CVE-2017-17405, you should update to Ruby version 2.5.5-3+deb10u4 or 2.5.5-3+deb10u6 for Debian, and version 2.4.3 for Red Hat. Make sure to check the vendor's official website for the latest updates.
You can find more information about CVE-2017-17405 on the official Ruby website and the associated GitHub commits. Links: [Ruby website](https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/), [GitHub commit 1](https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431), [GitHub commit 2](https://github.com/ruby/ruby/commit/1cfe43fd85c66a9e2b5068480b3e043c31e6b8ca)