Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-29415

Опубликовано: 20 фев. 2024
Источник: redhat
CVSS3: 9.8
EPSS Высокий

Описание

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

A flaw was found in node-ip. The fix for CVE-2023-42282 in the ip package for Node.js was incomplete, and the issue may still be triggered using some IP addresses.

Отчет

For CVE-2023-42282, npm does not utilize the bundled code, therefore Red Hat Enterprise Linux is not affected by this vulnerability.

Меры по смягчению последствий

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Cryostat 2node-ipNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/kibana6-rhel8Not affected
Migration Toolkit for Virtualizationmigration-toolkit-virtualization/mtv-console-plugin-rhel9Not affected
Multicluster Engine for Kubernetesmulticluster-engine/console-mce-rhel8Not affected
Network Observability Operatornetwork-observability/network-observability-console-plugin-rhel9Not affected
Node HealthCheck Operatorworkload-availability/node-remediation-console-rhel8Not affected
OpenShift Service Mesh 2openshift-service-mesh/kiali-rhel8Not affected
Red Hat 3scale API Management Platform 23scale-amp-system-containerNot affected
Red Hat Advanced Cluster Management for Kubernetes 2rhacm2/console-rhel8Not affected
Red Hat Advanced Cluster Security 3advanced-cluster-security/rhacs-central-db-rhel8Out of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-918
https://bugzilla.redhat.com/show_bug.cgi?id=2284554node-ip: Incomplete fix for CVE-2023-42282

EPSS

Процентиль: 99%
0.86804
Высокий

9.8 Critical

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-29415

CVSS3: 8.1
ubuntu
больше 1 года назад

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

nvd логотип

CVE-2024-29415

CVSS3: 8.1
nvd
больше 1 года назад

The ip package through 2.0.1 for Node.js might allow SSRF because some IP addresses (such as 127.1, 01200034567, 012.1.2.3, 000:0:0000::01, and ::fFFf:127.0.0.1) are improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2023-42282.

debian логотип

CVE-2024-29415

CVSS3: 8.1
debian
больше 1 года назад

The ip package through 2.0.1 for Node.js might allow SSRF because some ...

github логотип

GHSA-2p57-rm9w-gvfp

CVSS3: 8.1
github
больше 1 года назад

ip SSRF improper categorization in isPublic

fstec логотип

BDU:2024-04518

CVSS3: 9.8
fstec
почти 2 года назад

Уязвимость функции isPublic() утилиты node-ip программной платформы Node.js, позволяющая нарушителю реализовать SSRF-атаку

EPSS

Процентиль: 99%
0.86804
Высокий

9.8 Critical

CVSS3