Lucene search

K

GoogleOSV:GHSA-369M-2GV6-MW28

HistoryMay 14, 2022 - 2:03 a.m.

WEBrick RCE Vulnerability

2022-05-1402:03:29

Google

osv.dev

71

webrick

rce

vulnerability

ruby

remote attackers

terminal emulator escape sequences

arbitrary commands

EPSS

0.008

Percentile

82.0%

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

References

access.redhat.com/errata/RHSA-2017:3485

access.redhat.com/errata/RHSA-2018:0378

access.redhat.com/errata/RHSA-2018:0583

access.redhat.com/errata/RHSA-2018:0585

github.com/ruby/ruby/commit/6617c41292

github.com/ruby/webrick

github.com/ruby/webrick/commit/4ac0f3843ab82d1c31e1cfc719409208adef7813

github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2017-10784.yml

hackerone.com/reports/223363

lists.debian.org/debian-lts-announce/2018/07/msg00012.html

nvd.nist.gov/vuln/detail/CVE-2017-10784

security.gentoo.org/glsa/201710-18

usn.ubuntu.com/3528-1

usn.ubuntu.com/3685-1

web.archive.org/web/20210621131814/www.securityfocus.com/bid/100853

web.archive.org/web/20210919031115/www.securitytracker.com/id/1042004

web.archive.org/web/20211025092552/www.securitytracker.com/id/1039363

www.debian.org/security/2017/dsa-4031

www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released

www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released

www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784

EPSS

0.008

Percentile

82.0%

Related for OSV:GHSA-369M-2GV6-MW28