Get a demo
100% Signal 0% Noise Invicti Logo - The Largest Dynamic Application Security Solutions Provider In The World Get a demo
Ruby Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) Vulnerability - CVE-2017-17405 - Vulnerability Database
Ruby

Ruby Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) Vulnerability - CVE-2017-17405

High
Reference: CVE-2017-17405
NVD Link: https://nvd.nist.gov/vuln/detail/CVE-2017-17405
Title: Ruby Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) Vulnerability
Overview:

Ruby before 2.4.3 allows Net::FTP command injection. Net::FTPget getbinaryfile gettextfile put putbinaryfile and puttextfile use Kernelopen to open a local file. If the localfile argument starts with the quotquot pipe character the command following the pipe character is executed. The default value of localfile is File.basename(remotefile) so malicious FTP servers could cause arbitrary command execution.