CVE-2017-10784
HIGHRuby < 2.2.8, 2.3.x < 2.3.5, 2.4.x <= 2.4.1 - Command Injection via WEBrick Basic Authentication
Title source: llmDescription
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
References (15)
Core 15
Core References
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3685-1/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0585
Vendor Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/3528-1/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/100853
Patch, Vendor Advisory x_refsource_confirm
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0378
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1042004
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2017/dsa-4031
Patch, Vendor Advisory x_refsource_confirm
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
Third Party Advisory, VDB Entry vdb-entry
x_refsource_sectrack
http://www.securitytracker.com/id/1039363
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:3485
Mailing List mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:0583
Vendor Advisory x_refsource_confirm
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/201710-18
Scores
CVSS v3
8.8
EPSS
0.0212
EPSS Percentile
84.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-287
Status
published
Products (9)
ruby-lang/ruby
2.3.0 (3 CPE variants)
ruby-lang/ruby
2.3.1
ruby-lang/ruby
2.3.2
ruby-lang/ruby
2.3.3
ruby-lang/ruby
2.3.4
ruby-lang/ruby
2.4.0 (5 CPE variants)
ruby-lang/ruby
2.4.1
ruby-lang/ruby
< 2.2.7
rubygems/webrick
0 - 1.4.0RubyGems
Published
Sep 19, 2017
Tracked Since
Feb 18, 2026