Описание
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
It was discovered that the Net::FTP module did not properly process filenames in combination with certain operations. A remote attacker could exploit this flaw to execute arbitrary commands by setting up a malicious FTP server and tricking a user or Ruby application into downloading files with specially crafted names using the Net::FTP module.
Отчет
This issue affects the versions of ruby as shipped with Red Hat Subscription Asset Manager 1 and CloudForms 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | rh-ruby22-ruby | Affected | ||
| CloudForms Management Engine 5 | ruby-200-ruby | Affected | ||
| Red Hat Enterprise Linux 5 | ruby | Will not fix | ||
| Red Hat Enterprise Linux 6 | ruby | Will not fix | ||
| Red Hat Subscription Asset Manager | ruby193-ruby | Affected | ||
| Red Hat Enterprise Linux 7 | ruby | Fixed | RHSA-2018:0378 | 28.02.2018 |
| Red Hat Enterprise Linux 7.3 Advanced Update Support | ruby | Fixed | RHSA-2019:2806 | 19.09.2019 |
| Red Hat Enterprise Linux 7.3 Telco Extended Update Support | ruby | Fixed | RHSA-2019:2806 | 19.09.2019 |
| Red Hat Enterprise Linux 7.3 Update Services for SAP Solutions | ruby | Fixed | RHSA-2019:2806 | 19.09.2019 |
| Red Hat Software Collections for Red Hat Enterprise Linux 6 | rh-ruby22-ruby | Fixed | RHSA-2018:0583 | 26.03.2018 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.3 Medium
CVSS3
Связанные уязвимости
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, get ...
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Уязвимость реализации команд Net::FTP интерпретатора языка программирования Ruby, позволяющая нарушителю выполнить произвольные команды
EPSS
6.3 Medium
CVSS3