Vulnerability Description
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ruby-Lang | Ruby | <= 2.2.7 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/100853Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1039363Third Party AdvisoryVDB Entry
- http://www.securitytracker.com/id/1042004
- https://access.redhat.com/errata/RHSA-2017:3485
- https://access.redhat.com/errata/RHSA-2018:0378
- https://access.redhat.com/errata/RHSA-2018:0583
- https://access.redhat.com/errata/RHSA-2018:0585
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://security.gentoo.org/glsa/201710-18
- https://usn.ubuntu.com/3528-1/
- https://usn.ubuntu.com/3685-1/
- https://www.debian.org/security/2017/dsa-4031
- https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/PatchVendor Advisory
- https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/PatchVendor Advisory
- https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-Vendor Advisory
FAQ
What is CVE-2017-10784?
CVE-2017-10784 is a vulnerability with a CVSS score of 8.8 (HIGH). The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and...
How severe is CVE-2017-10784?
CVE-2017-10784 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2017-10784?
Check the references section above for vendor advisories and patch information. Affected products include: Ruby-Lang Ruby.