CVE-2017-17405 — Vulnetix

Try Vulnetix Request Demo

CVE-2017-17405 PUBLISHED

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

EPSS 88.65% · 99.5th percentile

Risk Scores

EPSS Score

88.65%

99.5th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:16.04:LTS	ruby2.3	2.3.1-2~16.04.2, 2.3.1-2~16.04, 2.3.0-5ubuntu1
Ubuntu:14.04:LTS	ruby1.9.1	1.9.3.484-2ubuntu1.2, 1.9.3.484-2ubuntu1.3, 1.9.3.484-2ubuntu1.5
Ubuntu:14.04:LTS	ruby2.0	2.0.0.484-1ubuntu2.1, 2.0.0.484-1ubuntu2.2, 2.0.0.484-1ubuntu2.4

Timeline

CVE Published
Dec 19, 2017 PoC Published
Dec 22, 2017 PoC Published
Apr 14, 2021 EPSS Score
Feb 21, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Oct 25, 2023 EPSS Score
Nov 25, 2023 EPSS Score
Mar 17, 2025 EPSS Score
Mar 19, 2025 EPSS Score
Mar 25, 2025 EPSS Score
Apr 12, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2017-17405 third-party-advisory
https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ third-party-advisory
https://github.com/ruby/ruby/commit/6d3f72e5be2312be312f2acbf3465b05293c1431 third-party-advisory
https://www.ruby-lang.org/en/news/2017/12/14/ruby-2-4-3-released/ third-party-advisory
https://ubuntu.com/security/notices/USN-3515-1 vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2017-17405 third-party-advisory

Open in Interactive Console →