Описание
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
A potential SSRF vector has been discovered in the node ip package (ip on npm). The issue is that the value 0 is improperly categorized as globally routable via the isPublic function.
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Cryostat 4 | io.cryostat-cryostat | Fix deferred | ||
| Multicluster Engine for Kubernetes | multicluster-engine/console-mce-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-compat-rhel9 | Fix deferred | ||
| Network Observability Operator | network-observability/network-observability-console-plugin-rhel9 | Fix deferred | ||
| Node HealthCheck Operator | workload-availability/node-healthcheck-must-gather-rhel9 | Fix deferred | ||
| Node HealthCheck Operator | workload-availability/node-healthcheck-operator-bundle | Fix deferred | ||
| Node HealthCheck Operator | workload-availability/node-healthcheck-rhel9-operator | Fix deferred | ||
| Node HealthCheck Operator | workload-availability/node-remediation-console-rhel9 | Fix deferred | ||
| OpenShift Serverless | openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8 | Fix deferred | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel9 | Fix deferred |
Показывать по
Дополнительная информация
EPSS
3.2 Low
CVSS3
Связанные уязвимости
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF b ...
The ip (aka node-ip) package through 2.0.1 (in NPM) might allow SSRF because the IP address value 017700000001 is improperly categorized as globally routable via isPublic. NOTE: this issue exists because of an incomplete fix for CVE-2024-29415.
EPSS
3.2 Low
CVSS3