VDB
ALPINE-CVE-2017-17405
ALPINE-CVE-2017-17405
PUBLISHED
CVSS 8.800000190734863 HIGH
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Risk Scores
CVSS 3.0
8.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Alpine:v3.10 | ruby | 0, 2.1.5-r0, 2.0.0 |
| Alpine:v3.5 | ruby | 1.8.7_p299-r0, 2.3.2-r0, 2.3.1-r2 |
| Alpine:v3.20 | ruby | 2.2, 0, 0 |
| Alpine:v3.16 | ruby | 1.9.3_p374-r0, 0, 1.8.7_p160-r2 |
| Alpine:v3.4 | ruby | 2.1.5-r1, 2.2.1-r0, 2.2.2-r0 |
| Alpine:v3.12 | ruby | 1.9.3_p286-r1, 1.9.3_p385-r0, 2.0.0_p0-r0 |
| Alpine:v3.13 | ruby | 0, 2.1.5-r1, 1.8.7_p174-r6 |
| Alpine:v3.14 | ruby | 2.4.1-r5, 2.4.1-r2, 2.2.1-r0 |
| Alpine:v3.23 | ruby | 2.2, 0, 0 |
| Alpine:v3.15 | ruby | 2.0.0_p353-r0, 0, 1.8.7_p160-r2 |
| Alpine:v3.18 | ruby | 2.4.2-r1, 2.2, 0 |
| Alpine:v3.11 | ruby | 1.9.3_p327-r0, 2.2, 0 |
| Alpine:v3.8 | ruby | 2.3.2-r0, 1.8.7_p174-r6, 1.8.7_p174-r7 |
| Alpine:v3.9 | ruby | 2.0.0_p247-r1, 1.9.3, 1.9.3 |
| Alpine:v3.22 | ruby | 2.2, 0, 0 |
| Alpine:v3.24 | ruby | 2.2, 0 |
| Alpine:v3.3 | ruby | 1.9.3_p286-r1, 1.9.3_p286-r2, 1.9.3_p362-r0 |
| Alpine:v3.21 | ruby | 0, 0, 0 |
| Alpine:v3.7 | ruby | 1.9.3_p286-r0, 2.0.0_p247-r3, 2.0.0_p353-r0 |
| Alpine:v3.17 | ruby | 1.8.7_p72-r1, 2.3.1-r2, 2.3.2-r0 |
…and 2 more
Timeline
- Dec 15, 2017 CVE Published
- Apr 30, 2026 Distribution Patch
- Jul 8, 2026 CVE Updated