Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4aGotaHA5bS1xd2M0

private_address_check vulnerable to bypass of Resolv.getaddresses method

The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.

Permalink: https://github.com/advisories/GHSA-hxhj-hp9m-qwc4
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLWh4aGotaHA5bS1xd2M0
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 6 years ago
Updated: about 1 year ago


Identifiers: GHSA-hxhj-hp9m-qwc4, CVE-2017-0904
References: Repository: https://github.com/jtdowney/private_address_check

Affected Packages

rubygems:private_address_check
Dependent packages: 0
Dependent repositories: 434
Downloads: 1,716,873 total
Affected Version Ranges: < 0.4.0
Fixed in: 0.4.0
All affected versions: 0.1.0, 0.2.0, 0.3.0
All unaffected versions: 0.4.0, 0.4.1, 0.5.0