FreshPorts - VuXML

This page displays vulnerability information about FreeBSD Ports.

The VUXML data was last processed by FreshPorts on 2024-04-24 03:12:49 UTC

List all Vulnerabilities, by package

List all Vulnerabilities, by date

k68

These are the vulnerabilities relating to the commit you have selected:

VuXML ID Description

VuXML ID	Description
dd644964-e10e-11e7-8097-0800271d4b9c	ruby -- Command injection vulnerability in Net::FTP Etienne Stalmans from the Heroku product security team reports: There is a command injection vulnerability in Net::FTP bundled with Ruby. `Net::FTP#get`, `getbinaryfile`, `gettextfile`, `put`, `putbinaryfile`, and `puttextfile` use `Kernel#open` to open a local file. If the `localfile` argument starts with the pipe character `"\|"`, the command following the pipe character is executed. The default value of `localfile` is `File.basename(remotefile)`, so malicious FTP servers could cause arbitrary command execution. Discovery 2017-12-14 Entry 2017-12-14 ruby ge 2.2.0,1 lt 2.2.9,1 ge 2.3.0,1 lt 2.3.6,1 ge 2.4.0,1 lt 2.4.3,1 https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/ CVE-2017-17405

dd644964-e10e-11e7-8097-0800271d4b9c

ruby -- Command injection vulnerability in Net::FTP

Etienne Stalmans from the Heroku product security team reports:

There is a command injection vulnerability in Net::FTP bundled with Ruby.

Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the pipe character "|", the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.

Discovery 2017-12-14
Entry 2017-12-14
ruby

ge 2.2.0,1 lt 2.2.9,1

ge 2.3.0,1 lt 2.3.6,1

ge 2.4.0,1 lt 2.4.3,1

https://www.ruby-lang.org/en/news/2017/12/14/net-ftp-command-injection-cve-2017-17405/
CVE-2017-17405