There is a command injection vulnerability in Net::FTP bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2017-17405.
Net::FTP#get
, getbinaryfile
, gettextfile
, put
, putbinaryfile
, and puttextfile
use Kernel#open
to open a local file. If the localfile
argument starts with the pipe character “|
”, the command following the pipe character is executed. The default value of localfile
is File.basename(remotefile)
, so malicious FTP servers could cause arbitrary command execution.
All users running an affected release should upgrade immediately.