CVE-2017-10784: Improper Authentication
(updated )
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
References
- access.redhat.com/errata/RHSA-2017:3485
- access.redhat.com/errata/RHSA-2018:0378
- access.redhat.com/errata/RHSA-2018:0583
- access.redhat.com/errata/RHSA-2018:0585
- github.com/advisories/GHSA-369m-2gv6-mw28
- github.com/ruby/ruby/commit/6617c41292
- github.com/ruby/webrick/commit/4ac0f3843ab82d1c31e1cfc719409208adef7813
- github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2017-10784.yml
- hackerone.com/reports/223363
- lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- nvd.nist.gov/vuln/detail/CVE-2017-10784
- security.gentoo.org/glsa/201710-18
- usn.ubuntu.com/3528-1/
- usn.ubuntu.com/3685-1/
- web.archive.org/web/20210621131814/http://www.securityfocus.com/bid/100853
- web.archive.org/web/20210919031115/http://www.securitytracker.com/id/1042004
- web.archive.org/web/20211025092552/http://www.securitytracker.com/id/1039363
- www.debian.org/security/2017/dsa-4031
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
- www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
- www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
Code Behaviors & Features
Detect and mitigate CVE-2017-10784 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →