The FTP library in Ruby did not validate remote filenames and blindly passed these to the
kernel.open function. This created a remotely exploitable vulnerability. Since the filenames were supplied by the remote FTP server, it was possible to create a malicious server that could exploit this vulnerability when a vulnerable Ruby client connected and tried to download a file.
This was assigned CVE-2017-17405 and patched by the Ruby team on 14 December 2017.
The following versions of Ruby are all affected by this vulnerability:
- Ruby 2.2 series: 2.2.8 and earlier
- Ruby 2.3 series: 2.3.5 and earlier
- Ruby 2.4 series: 2.4.2 and earlier
- Ruby 2.5 series: 2.5.0-preview1
- prior to trunk revision r61242