{ "threat_severity" : "Important", "public_date" : "2017-12-14T00:00:00Z", "bugzilla" : { "description" : "ruby: Command injection vulnerability in Net::FTP", "id" : "1526189", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1526189" }, "cvss3" : { "cvss3_base_score" : "6.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-20", "details" : [ "Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the \"|\" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.", "It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module." ], "statement" : "This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1 and CloudForms 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2018-02-28T00:00:00Z", "advisory" : "RHSA-2018:0378", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "ruby-0:2.0.0.648-33.el7_4" }, { "product_name" : "Red Hat Enterprise Linux 7.3 Advanced Update Support", "release_date" : "2019-09-19T00:00:00Z", "advisory" : "RHSA-2019:2806", "cpe" : "cpe:/o:redhat:rhel_aus:7.3", "package" : "ruby-0:2.0.0.648-30.el7_3" }, { "product_name" : "Red Hat Enterprise Linux 7.3 Telco Extended Update Support", "release_date" : "2019-09-19T00:00:00Z", "advisory" : "RHSA-2019:2806", "cpe" : "cpe:/o:redhat:rhel_tus:7.3", "package" : "ruby-0:2.0.0.648-30.el7_3" }, { "product_name" : "Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions", "release_date" : "2019-09-19T00:00:00Z", "advisory" : "RHSA-2019:2806", "cpe" : "cpe:/o:redhat:rhel_e4s:7.3", "package" : "ruby-0:2.0.0.648-30.el7_3" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0583", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-ruby22-ruby-0:2.2.9-19.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0584", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-ruby24-ruby-0:2.4.3-90.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0585", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-ruby23-ruby-0:2.3.6-67.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0583", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-ruby22-ruby-0:2.2.9-19.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0584", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-ruby24-ruby-0:2.4.3-90.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0585", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el6", "package" : "rh-ruby23-ruby-0:2.3.6-67.el6" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0583", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby22-ruby-0:2.2.9-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0584", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby24-ruby-0:2.4.3-90.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0585", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby23-ruby-0:2.3.6-67.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0583", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby22-ruby-0:2.2.9-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0584", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby24-ruby-0:2.4.3-90.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0585", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby23-ruby-0:2.3.6-67.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0583", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby22-ruby-0:2.2.9-19.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0584", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby24-ruby-0:2.4.3-90.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7.4 EUS", "release_date" : "2018-03-26T00:00:00Z", "advisory" : "RHSA-2018:0585", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-ruby23-ruby-0:2.3.6-67.el7" } ], "package_state" : [ { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Affected", "package_name" : "rh-ruby22-ruby", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5", "impact" : "moderate" }, { "product_name" : "CloudForms Management Engine 5", "fix_state" : "Affected", "package_name" : "ruby-200-ruby", "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5", "impact" : "moderate" }, { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Will not fix", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Will not fix", "package_name" : "ruby", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Affected", "package_name" : "ruby193-ruby", "cpe" : "cpe:/a:rhel_sam:1", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2017-17405\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-17405\nhttps://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/" ], "name" : "CVE-2017-17405", "csaw" : false }