VDB

ALPINE-CVE-2017-17405

ALPINE-CVE-2017-17405 PUBLISHED CVSS 8.800000190734863 HIGH

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Risk Scores

CVSS 3.0
8.800000190734863
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersions
Alpine:v3.10ruby0, 2.1.5-r0, 2.0.0
Alpine:v3.5ruby1.8.7_p299-r0, 2.3.2-r0, 2.3.1-r2
Alpine:v3.20ruby2.2, 0, 0
Alpine:v3.16ruby1.9.3_p374-r0, 0, 1.8.7_p160-r2
Alpine:v3.4ruby2.1.5-r1, 2.2.1-r0, 2.2.2-r0
Alpine:v3.12ruby1.9.3_p286-r1, 1.9.3_p385-r0, 2.0.0_p0-r0
Alpine:v3.13ruby0, 2.1.5-r1, 1.8.7_p174-r6
Alpine:v3.14ruby2.4.1-r5, 2.4.1-r2, 2.2.1-r0
Alpine:v3.23ruby2.2, 0, 0
Alpine:v3.15ruby2.0.0_p353-r0, 0, 1.8.7_p160-r2
Alpine:v3.18ruby2.4.2-r1, 2.2, 0
Alpine:v3.11ruby1.9.3_p327-r0, 2.2, 0
Alpine:v3.8ruby2.3.2-r0, 1.8.7_p174-r6, 1.8.7_p174-r7
Alpine:v3.9ruby2.0.0_p247-r1, 1.9.3, 1.9.3
Alpine:v3.22ruby2.2, 0, 0
Alpine:v3.24ruby2.2, 0
Alpine:v3.3ruby1.9.3_p286-r1, 1.9.3_p286-r2, 1.9.3_p362-r0
Alpine:v3.21ruby0, 0, 0
Alpine:v3.7ruby1.9.3_p286-r0, 2.0.0_p247-r3, 2.0.0_p353-r0
Alpine:v3.17ruby1.8.7_p72-r1, 2.3.1-r2, 2.3.2-r0

…and 2 more

Timeline

  • Dec 15, 2017 CVE Published
  • Apr 30, 2026 Distribution Patch
  • Jul 8, 2026 CVE Updated
Open in Interactive Console →
$ Console Community · 100/wk Open console ›