CVE-2017-17790

CVSS v3.0 9.8 (Critical)

CVSS v2.0 7.5 (High)

EPSS 2.80 % (91^th)

Affected Products 1

Advisories 9

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

Weaknesses

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Related CVEs

CVE-2017-17405

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2017-12-20 09:29:01
(6 years ago)
Updated Date: 2018-08-03 01:29:02
(6 years ago)

Affected Products

Ruby-lang

Ruby

Configuration #1

	CPE23	From	Up To
Ruby-lang Ruby from 2.2 version and 2.2.8 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.2	<= 2.2.8
Ruby-lang Ruby from 2.3 version and 2.3.5 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.3	<= 2.3.5
Ruby-lang Ruby from 2.4 version and 2.4.2 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.4	<= 2.4.2
Ruby-lang Ruby 2.5.0 Preview1	cpe:2.3:a:ruby-lang:ruby:2.5.0:preview1