Skip to content

private_address_check contains Incomplete List of Disallowed Inputs

High severity GitHub Reviewed Published Nov 30, 2017 to the GitHub Advisory Database • Updated Jan 20, 2023

Package

bundler private_address_check (RubyGems)

Affected versions

< 0.4.1

Patched versions

0.4.1

Description

The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery.

References

Published to the GitHub Advisory Database Nov 30, 2017
Reviewed Jun 16, 2020
Last updated Jan 20, 2023

Severity

High

EPSS score

0.245%
(65th percentile)

Weaknesses

CVE ID

CVE-2017-0909

GHSA ID

GHSA-3v3c-r5v2-68ph

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.