exploitDog

CVE-2018-3759

Опубликовано: 13 июн. 2018

Источник: nvd

CVSS3: 3.7

CVSS2: 4.3

EPSS Низкий

Описание

private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address.

Ссылки

https://github.com/jtdowney/private_address_check/commit/4068228187db87fea7577f7020099399772bb147
Patch
Third Party Advisory
https://github.com/jtdowney/private_address_check/commit/4068228187db87fea7577f7020099399772bb147
Patch
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:private_address_check_project:private_address_check:*:*:*:*:*:ruby:*:*

Версия до 0.5.0 (исключая)

EPSS

Процентиль: 40%

0.0018

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-362

CWE-362

Связанные уязвимости

GHSA-2xvj-j3qh-x8c3

github

больше 7 лет назад

private_address_check contains race condition

EPSS

Процентиль: 40%

0.0018

Низкий

3.7 Low

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-362

CWE-362