Sha256: 96439d774ea6fd13e60df2e573da182f5e6a0902ddfd912f3061b7ae996862ad

Contents?: true

Size: 834 Bytes

Versions: 3

Compression:

Stored size: 834 Bytes

Contents

---
engine: ruby
cve: 2017-17405
url: https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
title: Command injection vulnerability in Net::FTP
date: 2017-12-14
description: |
  There is a command injection vulnerability in Net::FTP bundled with Ruby.

  `Net::FTP#get`, `getbinaryfile`, `gettextfile`, `put`, `putbinaryfile`, and
  `puttextfile` use `Kernel#open` to open a local file. If the `localfile`
  argument starts with the pipe character `"|"`, the command following the
  pipe character is executed. The default value of `localfile` is
  `File.basename(remotefile)`, so malicious FTP servers could cause arbitrary
  command execution.

  All users running an affected release should upgrade immediately.
patched_versions:
  - "~> 2.2.9"
  - "~> 2.3.6"
  - "~> 2.4.3"
  - "> 2.5.0.preview.1"

Version data entries

3 entries across 3 versions & 2 rubygems

Version Path
bundler-audit-0.7.0.1 data/ruby-advisory-db/rubies/ruby/CVE-2017-17405.yml
bundler-budit-0.6.2 data/ruby-advisory-db/rubies/ruby/CVE-2017-17405.yml
bundler-budit-0.6.1 data/ruby-advisory-db/rubies/ruby/CVE-2017-17405.yml