CVE-2017-10784

NameCVE-2017-10784
DescriptionThe Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-1113-1, DLA-1114-1, DSA-4031-1
NVD severityhigh (attack range: remote)
Debian Bugs875931

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby1.8 (PTS)wheezy1.8.7.358-7.1+deb7u3vulnerable
wheezy (security)1.8.7.358-7.1+deb7u4fixed
ruby1.9.1 (PTS)wheezy1.9.3.194-8.1+deb7u5vulnerable
wheezy (security)1.9.3.194-8.1+deb7u6fixed
ruby2.1 (PTS)jessie2.1.5-2+deb8u3vulnerable
jessie (security)2.1.5-2+deb8u1vulnerable
ruby2.3 (PTS)buster, stretch2.3.3-1+deb9u1vulnerable
stretch (security)2.3.3-1+deb9u2fixed
sid2.3.5-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby1.8source(unstable)(unfixed)high
ruby1.8sourcewheezy1.8.7.358-7.1+deb7u4highDLA-1113-1
ruby1.9.1source(unstable)(unfixed)high
ruby1.9.1sourcewheezy1.9.3.194-8.1+deb7u6highDLA-1114-1
ruby2.1source(unstable)(unfixed)high
ruby2.3source(unstable)2.3.5-1high875931
ruby2.3sourcestretch2.3.3-1+deb9u2highDSA-4031-1

Notes

https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://github.com/ruby/ruby/commit/6617c41292b7d1e097abb8fdb0cab9ddd83c77e7
https://hackerone.com/reports/223363

Search for package or bug name: Reporting problems