CVE-2017-17790

Published: 20 December 2017

The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3 uses Kernel#open, which might allow Command Injection attacks, as demonstrated by a Resolv::Hosts::new argument beginning with a '|' character, a different vulnerability than CVE-2017-17405. NOTE: situations with untrusted input may be highly unlikely.

Priority

Medium

CVSS 3 base score: 9.8

Status

Package Release Status
ruby1.9.1
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist
(trusty was released [1.9.3.484-2ubuntu1.7])
ruby2.3
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus)
Released (2.3.1-2~16.04.5)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

ruby2.5
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (2.5.1-1)
Ubuntu 16.04 ESM (Xenial Xerus) Does not exist

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist