CVE-2017-10784
ruby: Escape sequence injection vulnerability in the Basic authentication of WEBrick
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
El código de autenticación Basic en la biblioteca WEBrick en Ruby en versiones anteriores a la 2.2.8, 2.3.x anteriores a la 2.3.5 y 2.4.x hasta la 2.4.1 permite que atacantes remotos inyecten secuencias de escape del emulador del terminal en su registro y que puedan ejecutar comandos arbitrarios mediante un nombre de usuario manipulado.
It was found that WEBrick did not sanitize all its log messages. If logs were printed in a terminal, an attacker could interact with the terminal via the use of escape sequences.
Ruby is an extensible, interpreted, object-oriented, scripting language. It has features to process text files and to perform system management tasks. Security Fix: It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-07-01 CVE Reserved
- 2017-09-19 CVE Published
- 2024-08-05 CVE Updated
- 2025-05-21 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-117: Improper Output Neutralization for Logs
- CWE-287: Improper Authentication
CAPEC
References (17)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/100853 | Third Party Advisory | |
| http://www.securitytracker.com/id/1039363 | Third Party Advisory | |
| http://www.securitytracker.com/id/1042004 | Vdb Entry | |
| https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released | 2018-10-31 | |
| https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released | 2018-10-31 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2017:3485 | 2018-10-31 | |
| https://access.redhat.com/errata/RHSA-2018:0378 | 2018-10-31 | |
| https://access.redhat.com/errata/RHSA-2018:0583 | 2018-10-31 | |
| https://access.redhat.com/errata/RHSA-2018:0585 | 2018-10-31 | |
| https://security.gentoo.org/glsa/201710-18 | 2018-10-31 | |
| https://usn.ubuntu.com/3528-1 | 2018-10-31 | |
| https://usn.ubuntu.com/3685-1 | 2018-10-31 | |
| https://www.debian.org/security/2017/dsa-4031 | 2018-10-31 | |
| https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784 | 2018-10-31 | |
| https://access.redhat.com/security/cve/CVE-2017-10784 | 2018-03-26 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1492012 | 2018-03-26 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | <= 2.2.7 Search vendor "Ruby-lang" for product "Ruby" and version " <= 2.2.7" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.0" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.0" | preview1 |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.0" | preview2 |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.1 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.1" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.2 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.2" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.3 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.3" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.3.4 Search vendor "Ruby-lang" for product "Ruby" and version "2.3.4" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.4.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.4.0" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.4.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.4.0" | preview1 |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.4.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.4.0" | preview2 |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.4.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.4.0" | preview3 |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.4.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.4.0" | rc1 |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.4.1 Search vendor "Ruby-lang" for product "Ruby" and version "2.4.1" | - |
Affected
| ||||||