CVE-2017-10784

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

CVSS v3 8.8 HIGH
CVSS v2.0 9.3 HIGH

8.8^/10

CVSS v3 : HIGH

V3 Legend

Vector : AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

9.3^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:N/AC:M/Au:N/C:C/I:C/A:C

Exploitability : 8.6 / Impact : 10.0

Access Vector NETWORK

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://www.securityfocus.com/bid/100853	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039363	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/	Patch Vendor Advisory
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/	Patch Vendor Advisory
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/	Vendor Advisory
http://www.securityfocus.com/bid/100853	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1039363	Third Party Advisory VDB Entry
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/	Patch Vendor Advisory
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/	Patch Vendor Advisory
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:ruby::::::::
	cpe:2.3:a:ruby-lang:ruby:2.3.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1::::::
	cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2::::::
	cpe:2.3:a:ruby-lang:ruby:2.3.1:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.3.2:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.3.3:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.3.4:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.4.0:::::::*
	cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1::::::
	cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2::::::
	cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3::::::
	cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1::::::
	cpe:2.3:a:ruby-lang:ruby:2.4.1:::::::*

History

No history.

Information

Published : 2017-09-19 17:29

Updated : 2025-04-20 01:37

NVD link : CVE-2017-10784

Mitre link : CVE-2017-10784

CVE.ORG link : CVE-2017-10784

JSON object : View

Products Affected

ruby-lang

ruby

CWE

CWE-287

Improper Authentication

8.8 /10