CVE-2017-0909

EPSS 0.34%

private_address_check contains Incomplete List of Disallowed Inputs

Published: 11/30/2017Modified: 12/6/2024

Description

The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery.

Affected packages (1)

RubyGems/private_address_checkfrom 0, < 0.4.1

References (5)

ADVISORYhttps://github.com/advisories/GHSA-3v3c-r5v2-68ph
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-0909
PATCHhttps://github.com/jtdowney/private_address_check
WEBhttps://github.com/jtdowney/private_address_check/pull/3
WEBhttps://hackerone.com/reports/288950