Описание
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
| Релиз | Статус | Примечание |
|---|---|---|
| artful | DNE | |
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was released [1.9.3.484-2ubuntu1.6]] |
| precise/esm | DNE | |
| trusty | released | 1.9.3.484-2ubuntu1.6 |
| trusty/esm | DNE | trusty was released [1.9.3.484-2ubuntu1.6] |
| upstream | needs-triage | |
| xenial | DNE | |
| zesty | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | DNE | |
| devel | DNE | |
| esm-infra-legacy/trusty | DNE | trusty/esm was DNE [trusty was released [2.0.0.484-1ubuntu2.5]] |
| precise/esm | DNE | |
| trusty | released | 2.0.0.484-1ubuntu2.5 |
| trusty/esm | DNE | trusty was released [2.0.0.484-1ubuntu2.5] |
| upstream | needs-triage | |
| xenial | DNE | |
| zesty | DNE |
Показывать по
| Релиз | Статус | Примечание |
|---|---|---|
| artful | released | 2.3.3-1ubuntu1.1 |
| devel | not-affected | 2.3.6-2 |
| esm-infra-legacy/trusty | DNE | |
| esm-infra/xenial | released | 2.3.1-2~16.04.4 |
| precise/esm | DNE | |
| trusty | DNE | |
| trusty/esm | DNE | |
| upstream | released | 2.3.6 |
| xenial | released | 2.3.1-2~16.04.4 |
| zesty | released | 2.3.3-1ubuntu0.3 |
Показывать по
Ссылки на источники
EPSS
9.3 Critical
CVSS2
8.8 High
CVSS3
Связанные уязвимости
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, get ...
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Уязвимость реализации команд Net::FTP интерпретатора языка программирования Ruby, позволяющая нарушителю выполнить произвольные команды
EPSS
9.3 Critical
CVSS2
8.8 High
CVSS3