CVE-2017-0909

EPSS 0.34%

private_address_check contains Incomplete List of Disallowed Inputs

發布日:2017/11/30修改日:2024/12/6

描述

The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery.

受影響套件(1)

RubyGems/private_address_checkfrom 0, < 0.4.1

參考連結(5)

ADVISORYhttps://github.com/advisories/GHSA-3v3c-r5v2-68ph
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-0909
PATCHhttps://github.com/jtdowney/private_address_check
WEBhttps://github.com/jtdowney/private_address_check/pull/3
WEBhttps://hackerone.com/reports/288950