CVE-2017-0909

Опубликовано: 16 нояб. 2017

Источник: nvd

CVSS3: 9.8

CVSS2: 7.5

EPSS Низкий

Описание

The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery.

Ссылки

https://github.com/jtdowney/private_address_check/pull/3
Issue Tracking
Third Party Advisory
https://hackerone.com/reports/288950
Issue Tracking
Patch
Third Party Advisory
https://github.com/jtdowney/private_address_check/pull/3
Issue Tracking
Third Party Advisory
https://hackerone.com/reports/288950
Issue Tracking
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:private_address_check_project:private_address_check:*:*:*:*:*:ruby:*:*

Версия до 0.4.1 (исключая)

EPSS

Процентиль: 56%

0.00339

Низкий

9.8 Critical

CVSS3

7.5 High

CVSS2

Дефекты

CWE-184

NVD-CWE-noinfo

Связанные уязвимости

GHSA-3v3c-r5v2-68ph

github

около 8 лет назад

private_address_check contains Incomplete List of Disallowed Inputs