{"id":"CVE-2017-10784","details":"The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.","aliases":["GHSA-369m-2gv6-mw28"],"modified":"2026-07-08T12:05:02.395462Z","published":"2017-09-19T17:29:00.263Z","related":["SUSE-SU-2020:1570-1"],"references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1042004"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"},{"type":"WEB","url":"https://usn.ubuntu.com/3528-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/3685-1/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100853"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039363"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3485"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0378"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0583"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0585"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201710-18"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-4031"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/"},{"type":"FIX","url":"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/"},{"type":"FIX","url":"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"last_affected":"530165c2948c3eed741db5659f7b937270caa46a"},{"introduced":"d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20"},{"last_affected":"820605ba3c10b9f4dafc4e5d6e09765b8b31cbea"}],"database_specific":{"source":["CPE_RANGE","CPE_STRING"],"cpe":["cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*"],"extracted_events":[{"introduced":"0"},{"last_affected":"2.2.7"},{"introduced":"2.3.0"},{"last_affected":"2.3.0"},{"introduced":"2.3.0-preview1"},{"last_affected":"2.3.0-preview1"},{"introduced":"2.3.0-preview2"},{"last_affected":"2.3.0-preview2"},{"introduced":"2.3.1"},{"last_affected":"2.3.1"},{"introduced":"2.3.2"},{"last_affected":"2.3.2"},{"introduced":"2.3.3"},{"last_affected":"2.3.3"},{"introduced":"2.3.4"},{"last_affected":"2.3.4"},{"introduced":"2.4.0"},{"last_affected":"2.4.0"},{"introduced":"2.4.0-preview1"},{"last_affected":"2.4.0-preview1"},{"introduced":"2.4.0-preview2"},{"last_affected":"2.4.0-preview2"},{"introduced":"2.4.0-preview3"},{"last_affected":"2.4.0-preview3"},{"introduced":"2.4.0-rc1"},{"last_affected":"2.4.0-rc1"},{"introduced":"2.4.1"},{"last_affected":"2.4.1"}]}}],"versions":["2.3.0","2.3.0-preview1","2.3.0-preview2","2.3.1","2.3.2","2.3.3","2.3.4","2.4.0","2.4.0-preview1","2.4.0-preview2","2.4.0-preview3","2.4.0-rc1","2.4.1","v2_2_7","v2_4_1","v2_2_0_rc1","v1_0_r2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-10784.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}