{"id":"CVE-2017-10784","details":"The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.","aliases":["GHSA-369m-2gv6-mw28"],"modified":"2026-05-15T08:16:18.753313Z","published":"2017-09-19T17:29:00.263Z","related":["SUSE-SU-2020:1570-1"],"references":[{"type":"WEB","url":"http://www.securitytracker.com/id/1042004"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html"},{"type":"WEB","url":"https://usn.ubuntu.com/3528-1/"},{"type":"WEB","url":"https://usn.ubuntu.com/3685-1/"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/100853"},{"type":"ADVISORY","url":"http://www.securitytracker.com/id/1039363"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2017:3485"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0378"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0583"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:0585"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/201710-18"},{"type":"ADVISORY","url":"https://www.debian.org/security/2017/dsa-4031"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/"},{"type":"FIX","url":"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/"},{"type":"FIX","url":"https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/ruby","events":[{"introduced":"0"},{"last_affected":"530165c2948c3eed741db5659f7b937270caa46a"},{"last_affected":"d40ea2afa6ff5a6e5befcf342fb7b6dc58796b20"},{"last_affected":"9993701c7d3d83e24699177fef3238d8bf7bbbab"},{"last_affected":"e3434401aca2e331132652d4458366267e8cf378"},{"last_affected":"5827d8e887d881eb3a6e6ea7410590261c90545f"},{"last_affected":"9d222264d5e6a2dcac5aceafb5742a65e53dc513"},{"last_affected":"c91cb76f8d84b2963f6ede2ef445ad46a6104216"},{"last_affected":"4bd69735af901266ec21486243fc206030caa6b9"},{"last_affected":"d4bb726b713658f56e630b6cf817a0155b6f390e"},{"last_affected":"8183c0532207ad0a9b9f99b659116218a9fa132b"},{"last_affected":"e11c22602af69e8139ec0649bb39f5a66d1e66a1"},{"last_affected":"81234c5ecaab58e03e346ebdbf5678e4b8a3db55"},{"last_affected":"55b2febff000595e6c5d8120ccb888855b7edb6f"},{"last_affected":"820605ba3c10b9f4dafc4e5d6e09765b8b31cbea"}],"database_specific":{"source":"CPE_FIELD","extracted_events":[{"introduced":"0"},{"last_affected":"2.2.7"},{"last_affected":"2.3.0"},{"last_affected":"2.3.0-preview1"},{"last_affected":"2.3.0-preview2"},{"last_affected":"2.3.1"},{"last_affected":"2.3.2"},{"last_affected":"2.3.3"},{"last_affected":"2.3.4"},{"last_affected":"2.4.0"},{"last_affected":"2.4.0-preview1"},{"last_affected":"2.4.0-preview2"},{"last_affected":"2.4.0-preview3"},{"last_affected":"2.4.0-rc1"},{"last_affected":"2.4.1"}],"cpe":["cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.0:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.0:preview1:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.0:preview2:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.1:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.2:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.3:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.3.4:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:*:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:preview1:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:preview2:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:preview3:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.0:rc1:*:*:*:*:*:*","cpe:2.3:a:ruby-lang:ruby:2.4.1:*:*:*:*:*:*:*"]}}],"versions":["v2_3_4","v2_2_7","v2_4_1","v2_4_0","v2_4_0_rc1","v2_3_3","v2_3_2","v2_4_0_preview3","v2_4_0_preview2","v2_4_0_preview1","v2_3_1","v2_3_0","v2_3_0_preview2","v2_3_0_preview1","v2_2_0_rc1","v1_0_r2"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-10784.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}]}