CVE-2017-10784

Published: Sep 19, 2017Modified: May 13, 2026

8.8

Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.

Affected (14)

Products: Ruby Lang: Ruby

1 product

Configuration A

14 vulnerable

Vulnerable Software	Affected Versions
Ruby Lang Ruby	Up to 2.2.7
Ruby Lang Ruby	Version 2.3.0
Ruby Lang Ruby	Version 2.3.0 preview1
Ruby Lang Ruby	Version 2.3.0 preview2
Ruby Lang Ruby	Version 2.3.1
Ruby Lang Ruby	Version 2.3.2
Ruby Lang Ruby	Version 2.3.3
Ruby Lang Ruby	Version 2.3.4
Ruby Lang Ruby	Version 2.4.0
Ruby Lang Ruby	Version 2.4.0 preview1
Ruby Lang Ruby	Version 2.4.0 preview2
Ruby Lang Ruby	Version 2.4.0 preview3
Ruby Lang Ruby	Version 2.4.0 rc1
Ruby Lang Ruby	Version 2.4.1

Related CWEs

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

References (30)

http://www.securityfocus.com/bid/100853

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039363

Source: cve@mitre.org

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1042004

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2017:3485

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2018:0378

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2018:0583

Source: cve@mitre.org

https://access.redhat.com/errata/RHSA-2018:0585

Source: cve@mitre.org

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

Source: cve@mitre.org

https://security.gentoo.org/glsa/201710-18

Source: cve@mitre.org

https://usn.ubuntu.com/3528-1/

Source: cve@mitre.org

https://usn.ubuntu.com/3685-1/

Source: cve@mitre.org

https://www.debian.org/security/2017/dsa-4031

Source: cve@mitre.org

https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/

Source: cve@mitre.org

PatchVendor Advisory

https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/

Source: cve@mitre.org

PatchVendor Advisory

https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/

Source: cve@mitre.org

Vendor Advisory

http://www.securityfocus.com/bid/100853

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1039363

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

http://www.securitytracker.com/id/1042004

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2017:3485

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2018:0378

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2018:0583

Source: af854a3a-2127-422b-91ae-364da2661108

https://access.redhat.com/errata/RHSA-2018:0585

Source: af854a3a-2127-422b-91ae-364da2661108

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201710-18

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/3528-1/

Source: af854a3a-2127-422b-91ae-364da2661108

https://usn.ubuntu.com/3685-1/

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.debian.org/security/2017/dsa-4031

Source: af854a3a-2127-422b-91ae-364da2661108

https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/

Source: af854a3a-2127-422b-91ae-364da2661108

PatchVendor Advisory

https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.