SSRF vulnerability in Recurly gem's Resource#find.
Published: November 09, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2017-0905 (NVD)
- GHSA: GHSA-x27v-x225-gq8g
- Vendor Advisory: https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be
GEM
SEVERITY
CVSS v3.x: 9.8 (Critical)
PATCHED VERSIONS
~> 2.0.13
~> 2.1.11
~> 2.2.5
~> 2.3.10
~> 2.4.11
~> 2.5.3
~> 2.6.3
~> 2.7.8
~> 2.8.2
~> 2.9.2
~> 2.10.4
~> 2.11.3
>= 2.12.0
DESCRIPTION
If you are using the #find method on any of the classes that are derived from the Resource class and you are passing user input into that method, a malicious user can force the http client to reach out to a server under their control. This can lead to leakage of your private API key.
Because of the severity of impact, we are recommending that all users upgrade to a patched version. We have provided a non-breaking patch for every 2.X version of the client.