High severity8.8NVD Advisory· Published Dec 15, 2017· Updated May 13, 2026
CVE-2017-17405
CVE-2017-17405
Description
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
14- www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/nvdPatchRelease NotesVendor Advisory
- www.exploit-db.com/exploits/43381/nvdExploitThird Party AdvisoryVDB Entry
- www.securityfocus.com/bid/102204nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1042004nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2018:0378nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0583nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0584nvdThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0585nvdThird Party Advisory
- lists.debian.org/debian-lts-announce/2017/12/msg00024.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2017/12/msg00025.htmlnvdMailing ListThird Party Advisory
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvdMailing ListThird Party Advisory
- www.debian.org/security/2018/dsa-4259nvdThird Party Advisory
- www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/nvdVendor Advisory
- access.redhat.com/errata/RHSA-2019:2806nvd
News mentions
0No linked articles in our index yet.