CVE-2017-0904
EPSS 0.86%private_address_check vulnerable to bypass of Resolv.getaddresses method
Published: 11/29/2017Modified: 11/30/2024
Description
The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's `Resolv.getaddresses` method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.
Affected packages (1)
- RubyGems/private_address_checkfrom 0, < 0.4.0
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-0904
- WEBhttps://edoverflow.com/2017/ruby-resolv-bug
- WEBhttps://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af
- WEBhttps://github.com/jtdowney/private_address_check/issues/1
- WEBhttps://hackerone.com/reports/287245
- WEBhttps://hackerone.com/reports/287835