CVE-2017-17790
Description
Ruby through 2.4.3 allows command injection in Resolv::Hosts.new when argument starts with '|' due to use of Kernel#open.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ruby through 2.4.3 allows command injection in Resolv::Hosts.new when argument starts with '|' due to use of Kernel#open.
Vulnerability
The lazy_initialize function in lib/resolv.rb in Ruby through version 2.4.3 uses Kernel#open, which might allow command injection attacks. This is demonstrated by a Resolv::Hosts::new argument beginning with a '|' character [1][2][3][4]. The issue is a different vulnerability than CVE-2017-17405.
Exploitation
An attacker must provide a crafted argument to Resolv::Hosts.new that starts with a '|' character. The Kernel#open call interprets the argument as a pipe command if it begins with '|', leading to execution of arbitrary shell commands. The scenario with untrusted input is considered highly unlikely by the advisory [1].
Impact
Successful exploitation results in arbitrary command execution with the privileges of the Ruby process. This can lead to full compromise of the affected application or system.
Mitigation
Red Hat has released updated packages for various Ruby versions: ruby-2.0.0.648-33.el7_4 for RHEL Server 7 [1], rh-ruby23-ruby (2.3.6) [2], rh-ruby24-ruby (2.4.3) [3], and rh-ruby22-ruby (2.2.9) [4]. Users should update to the fixed versions. No workaround is provided for versions without a patch.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
22- osv-coords21 versionspkg:rpm/suse/ruby2.1&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ruby2.1&distro=SUSE%20Enterprise%20Storage%205pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-BCLpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP3-LTSSpkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP3pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP4pkg:rpm/suse/ruby2.1&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2012%20SP5pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ruby2.1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-BCLpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%2012%20SP2-LTSSpkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2012%20SP2pkg:rpm/suse/yast2-ruby-bindings&distro=SUSE%20OpenStack%20Cloud%207
< 2.1.9-19.3.2+ 20 more
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 2.1.9-19.3.2
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
- (no CPE)range: < 3.1.53-9.8.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/ruby/ruby/pull/1777nvdExploitIssue TrackingThird Party Advisory
- access.redhat.com/errata/RHSA-2018:0378nvd
- access.redhat.com/errata/RHSA-2018:0583nvd
- access.redhat.com/errata/RHSA-2018:0584nvd
- access.redhat.com/errata/RHSA-2018:0585nvd
- lists.debian.org/debian-lts-announce/2017/12/msg00024.htmlnvd
- lists.debian.org/debian-lts-announce/2017/12/msg00025.htmlnvd
- lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlnvd
- www.debian.org/security/2018/dsa-4259nvd
News mentions
0No linked articles in our index yet.