GHSA-78xj-cgh5-2h22

Опубликовано: 08 фев. 2024

Источник: github

Github: Прошло ревью

Описание

NPM IP package incorrectly identifies some private IP addresses as public

The isPublic() function in the NPM package ip doesn't correctly identify certain private IP addresses in uncommon formats such as 0x7F.1 as private. Instead, it reports them as public by returning true. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. Versions 1.1.9 and 2.0.1 fix the issue.

Ссылки

Пакеты

Наименование

npm

Затронутые версииВерсия исправления

= 2.0.0

2.0.1

Наименование

npm

Затронутые версииВерсия исправления

< 1.1.9

1.1.9

EPSS

Процентиль: 67%

0.00539

Низкий

CVE ID

CVE-2023-42282

Дефекты

CWE-918

Связанные уязвимости

CVE-2023-42282

CVSS3: 9.8

ubuntu

почти 2 года назад

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

CVE-2023-42282

CVSS3: 9.8

redhat

почти 2 года назад

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

CVE-2023-42282

CVSS3: 9.8

nvd

почти 2 года назад

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.