CVE-2017-10784
Publication date 19 September 2017
Last updated 24 July 2024
Ubuntu priority
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
Status
| Package | Ubuntu Release | Status |
|---|---|---|
| ruby1.9.1 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 1.9.3.484-2ubuntu1.5
|
|
| ruby2.0 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial | Not in release | |
| 14.04 LTS trusty |
Fixed 2.0.0.484-1ubuntu2.10
|
|
| ruby2.3 | 18.04 LTS bionic | Not in release |
| 16.04 LTS xenial |
Fixed 2.3.1-2~16.04.5
|
|
| 14.04 LTS trusty | Not in release |
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score |
8.8 · High
|
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References
Related Ubuntu Security Notices (USN)
- USN-3439-1
- Ruby vulnerabilities
- 5 October 2017
- USN-3685-1
- Ruby vulnerabilities
- 13 June 2018
- USN-3528-1
- Ruby vulnerabilities
- 10 January 2018