Ruby - (bulletinjan2019)ID: oval:org.secpod.oval:def:2103534 | Date: (C)2019-12-30 (M)2024-02-19 |
Class: PATCH | Family: unix |
Ruby before 2.4.3 allows Net::FTP command injection. Net::FTP#get, getbinaryfile, gettextfile, put, putbinaryfile, and puttextfile use Kernel#open to open a local file. If the localfile argument starts with the "|" pipe character, the command following the pipe character is executed. The default value of localfile is File.basename(remotefile), so malicious FTP servers could cause arbitrary command execution.
Product: |
runtime/ruby-23 |
runtime/ruby-23/ruby-tk |