Skip to content

private_address_check contains Incomplete List of Disallowed Inputs

High severity GitHub Reviewed Published Nov 30, 2017 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

bundler private_address_check (RubyGems)

Affected versions

< 0.4.1

Patched versions

0.4.1

Description

The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery.

References

Published to the GitHub Advisory Database Nov 30, 2017
Reviewed Jun 16, 2020
Last updated Jan 20, 2023

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(56th percentile)

Weaknesses

Incomplete List of Disallowed Inputs

The product implements a protection mechanism that relies on a list of inputs (or properties of inputs) that are not allowed by policy or otherwise require other action to neutralize before additional processing takes place, but the list is incomplete, leading to resultant weaknesses. Learn more on MITRE.

CVE ID

CVE-2017-0909

GHSA ID

GHSA-3v3c-r5v2-68ph

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.