Skip to content

private_address_check vulnerable to bypass of Resolv.getaddresses method

Moderate severity GitHub Reviewed Published Nov 29, 2017 to the GitHub Advisory Database • Updated Jan 23, 2023

Package

bundler private_address_check (RubyGems)

Affected versions

< 0.4.0

Patched versions

0.4.0

Description

The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.

References

Published to the GitHub Advisory Database Nov 29, 2017
Reviewed Jun 16, 2020
Last updated Jan 23, 2023

Severity

Moderate

EPSS score

0.371%
(73rd percentile)

Weaknesses

CVE ID

CVE-2017-0904

GHSA ID

GHSA-hxhj-hp9m-qwc4

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.