RubySec

Providing security resources for the Ruby community

CVE-2017-0905 (recurly): SSRF vulnerability in Recurly gem's Resource#find.

ADVISORIES

GEM

recurly

PATCHED VERSIONS

  • ~> 2.0.13
  • ~> 2.1.11
  • ~> 2.2.5
  • ~> 2.3.10
  • ~> 2.4.11
  • ~> 2.5.3
  • ~> 2.6.3
  • ~> 2.7.8
  • ~> 2.8.2
  • ~> 2.9.2
  • ~> 2.10.4
  • ~> 2.11.3
  • >= 2.12.0

DESCRIPTION

If you are using the #find method on any of the classes that are derived from the Resource class and you are passing user input into that method, a malicious user can force the http client to reach out to a server under their control. This can lead to leakage of your private API key.

Because of the severity of impact, we are recommending that all users upgrade to a patched version. We have provided a non-breaking patch for every 2.X version of the client.