-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2017-10784.yml
39 lines (39 loc) · 1.83 KB
/
CVE-2017-10784.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
---
gem: webrick
cve: 2017-10784
ghsa: 369m-2gv6-mw28
url: https://access.redhat.com/errata/RHSA-2017:3485
title: WEBrick RCE Vulnerability
date: 2022-05-14
description: |
The Basic authentication code in WEBrick library in Ruby before 2.2.8,
2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal
emulator escape sequences into its log and possibly execute arbitrary commands via
a crafted user name.
cvss_v2: 9.3
cvss_v3: 8.8
patched_versions:
- ">= 1.4.0"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2017-10784
- https://access.redhat.com/errata/RHSA-2017:3485
- https://access.redhat.com/errata/RHSA-2018:0378
- https://access.redhat.com/errata/RHSA-2018:0583
- https://access.redhat.com/errata/RHSA-2018:0585
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://security.gentoo.org/glsa/201710-18
- https://usn.ubuntu.com/3528-1/
- https://usn.ubuntu.com/3685-1/
- https://www.debian.org/security/2017/dsa-4031
- https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
- https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
- https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
- https://web.archive.org/web/20210621131814/http://www.securityfocus.com/bid/100853
- https://web.archive.org/web/20210919031115/http://www.securitytracker.com/id/1042004
- https://web.archive.org/web/20211025092552/http://www.securitytracker.com/id/1039363
- https://github.com/ruby/ruby/commit/6617c41292
- https://github.com/ruby/webrick/commit/4ac0f3843ab82d1c31e1cfc719409208adef7813
- https://hackerone.com/reports/223363
- https://github.com/advisories/GHSA-369m-2gv6-mw28
notes: "Versions in description: field are ruby versions, not ruby gem"