GHSA-hxhj-hp9m-qwc4

Source

https://github.com/advisories/GHSA-hxhj-hp9m-qwc4

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-hxhj-hp9m-qwc4/GHSA-hxhj-hp9m-qwc4.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-hxhj-hp9m-qwc4

Aliases

CVE-2017-0904

Published

2017-11-29T23:21:05Z

Modified

2024-11-30T05:41:53.022741Z

Summary

private_address_check vulnerable to bypass of Resolv.getaddresses method

Details

The privateaddresscheck ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.

Database specific

{
    "nvd_published_at": null,
    "github_reviewed_at": "2020-06-16T21:41:23Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-242"
    ],
    "github_reviewed": true
}

References

Affected packages

RubyGems / private_address_check

Package

Name: private_address_check
Purl: pkg:gem/private_address_check

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.4.0

Affected versions

0.*

0.1.0

0.2.0

0.3.0