Описание
The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.
Ссылки
- Issue TrackingThird Party Advisory
- Third Party Advisory
- Issue TrackingThird Party Advisory
- Issue TrackingMitigationPatchThird Party Advisory
- Permissions RequiredThird Party Advisory
- Issue TrackingThird Party Advisory
- Third Party Advisory
- Issue TrackingThird Party Advisory
- Issue TrackingMitigationPatchThird Party Advisory
- Permissions RequiredThird Party Advisory
Уязвимые конфигурации
Конфигурация 1Версия до 0.4.0 (исключая)
cpe:2.3:a:private_address_check_project:private_address_check:*:*:*:*:*:ruby:*:*
EPSS
Процентиль: 75%
0.00862
Низкий
8.1 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-242
CWE-755
Связанные уязвимости
github
около 8 лет назад
private_address_check vulnerable to bypass of Resolv.getaddresses method
EPSS
Процентиль: 75%
0.00862
Низкий
8.1 High
CVSS3
6.8 Medium
CVSS2
Дефекты
CWE-242
CWE-755