3 matches found
CVE-2017-0909
The CVE-2017-0909 issue affects the private_address_check Ruby gem (versions before 0.4.1). It enables a bypass of its server-side request forgery (SSRF) protections by an incomplete blacklist of private/local addresses, notably missing 0.0.0.0. Affected behavior: attackers can bypass the blackli...
CVE-2018-3759
The CVE concerns the Ruby gem private_address_check (pre-0.5.0). It describes a TOCTOU race condition caused by not checking the socket’s destination address, where a DNS entry with TTL 0 can yield a public address initially and a private address subsequently. Multiple connected sources (GitHub a...
CVE-2017-0904
The private_address_check Ruby gem (versions before 0.4.0) is affected by a bypass of its own privacy filter due to using Ruby’s Resolv.getaddresses, which is OS-dependent and cannot be trusted for security checks. This can undermine server-side request forgery protections that rely on blacklisti...