Added rubies/ruby/CVE-2017-17790.yml (#558)

jasnow · web-flow · commit 5b7af469024e · 2023-03-21T11:52:55.000-07:00
Added rubies/ruby/CVE-2017-17790.yml
diff --git a/rubies/ruby/CVE-2017-17790.yml b/rubies/ruby/CVE-2017-17790.yml
@@ -0,0 +1,35 @@
+---
+engine: ruby
+cve: 2017-17790
+url: https://nvd.nist.gov/vuln/detail/CVE-2017-17790
+title: The lazy_initialize function in lib/resolv.rb in Ruby
+date: 2017-12-20
+description: |
+  The lazy_initialize function in lib/resolv.rb in Ruby through 2.4.3
+  uses Kernel#open, which might allow Command Injection attacks, as
+  demonstrated by a Resolv::Hosts::new argument beginning with a '|'
+  character, a different vulnerability than CVE-2017-17405.
+  NOTE: situations with untrusted input may be highly unlikely.
+
+  CWE: CWE-74 - Improper Neutralization of Special Elements
+
+  CVSS_V3: 9.8 - CRITICAL - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+
+cvss_v3: 9.8
+patched_versions:
+ - '~> 2.2.8'
+ - '~> 2.3.5'
+ - '>= 2.4.3'
+# related:
+#  url:
+#   - https://nvd.nist.gov/vuln/detail/CVE-2017-17790
+#   - https://github.com/ruby/ruby/pull/1777
+#   - https://access.redhat.com/errata/RHSA-2018:0378
+#   - https://access.redhat.com/errata/RHSA-2018:0583
+#   - https://access.redhat.com/errata/RHSA-2018:0584
+#   - https://access.redhat.com/errata/RHSA-2018:0585
+#   - https://lists.debian.org/debian-lts-announce/2017/12/msg00024.html
+#   - https://lists.debian.org/debian-lts-announce/2017/12/msg00025.html
+#   - https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
+#   - https://www.debian.org/security/2018/dsa-4259
+#   - https://github.com/advisories/GHSA-qf67-vmxx-gp4jGHSA-47cm-jxff-w8wg.json
