CVE-2017-0904
Last modified
CVE-2017-0904 is a vulnerability of currently unknown severity. The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.. EPSS estimates a 2.42% chance of exploitation in the next 30 days.
Description
The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Private Address Check Project | Private Address Check | < 0.4.0 |
References
- https://edoverflow.com/2017/ruby-resolv-bug/Issue Tracking, Third Party Advisory
- https://github.com/jtdowney/private_address_check/issues/1Issue Tracking, Third Party Advisory
- https://hackerone.com/reports/287245Issue Tracking, Mitigation, Patch, Third Party Advisory
- https://hackerone.com/reports/287835Permissions Required, Third Party Advisory
- https://edoverflow.com/2017/ruby-resolv-bug/Issue Tracking, Third Party Advisory
- https://github.com/jtdowney/private_address_check/issues/1Issue Tracking, Third Party Advisory
- https://hackerone.com/reports/287245Issue Tracking, Mitigation, Patch, Third Party Advisory
- https://hackerone.com/reports/287835Permissions Required, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2017-0904?
How severe is CVE-2017-0904?
How do I fix CVE-2017-0904?
Are you affected by CVE-2017-0904?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST