Vulnerability DatabaseCVE-2017-10784
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2017-10784
Published:September 19, 2017
Updated:May 17, 2026
The Basic authentication code in WEBrick library in Ruby before 2.2.8, 2.3.x before 2.3.5, and 2.4.x through 2.4.1 allows remote attackers to inject terminal emulator escape sequences into its log and possibly execute arbitrary commands via a crafted user name.
Affected Packages
webrick (RUBY):
Affected version(s) >=1.3.1 <1.4.0
Fix Suggestion:
Update to version 1.4.0
Related Resources (30)
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released/
https://usn.ubuntu.com/3685-1/
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784/
https://security.gentoo.org/glsa/201710-18
https://access.redhat.com/security/cve/CVE-2017-10784
https://web.archive.org/web/20211025092552/http://www.securitytracker.com/id/1039363
https://web.archive.org/web/20210919031115/http://www.securitytracker.com/id/1042004
https://usn.ubuntu.com/3528-1
https://hackerone.com/reports/223363
https://github.com/ruby/ruby/commit/6617c41292
https://nvd.nist.gov/vuln/detail/CVE-2017-10784
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2017:3485
https://www.ruby-lang.org/en/news/2017/09/14/webrick-basic-auth-escape-sequence-injection-cve-2017-10784
https://usn.ubuntu.com/3685-1
http://www.securitytracker.com/id/1042004
https://www.debian.org/security/2017/dsa-4031
https://web.archive.org/web/20210621131814/http://www.securityfocus.com/bid/100853
http://www.securitytracker.com/id/1039363
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2017-10784.yml
https://github.com/ruby/webrick/commit/4ac0f3843ab82d1c31e1cfc719409208adef7813
https://usn.ubuntu.com/3528-1/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-2-8-released
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released/
https://www.ruby-lang.org/en/news/2017/09/14/ruby-2-3-5-released
http://www.securityfocus.com/bid/100853
https://github.com/ruby/webrick
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Authentication
CWE-287
EPSS
Base Score:
1.60