CVE-2017-10784

Sažetak

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

Reference

http://www.securityfocus.com/bid/100853
http://www.securitytracker.com/id/1039363
http://www.securitytracker.com/id/1042004
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://security.gentoo.org/glsa/201710-18
https://usn.ubuntu.com/3528-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/

CVSS

Base:	9.3
Impact:	10.0
Exploitability:	8.6

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
COMPLETE	COMPLETE	COMPLETE

CVSS vektor

AV:N/AC:M/Au:N/C:C/I:C/A:C

Zadnje važnije ažuriranje

31-10-2018 - 10:29

Objavljeno

19-09-2017 - 17:29