private_address_check Ruby Gem Blacklist Bypass privilege escalation
Published: November 09, 2017
SECURITY IDENTIFIERS
- CVE: CVE-2017-0909 (NVD)
- GHSA: GHSA-3v3c-r5v2-68ph
- Vendor Advisory: https://github.com/jtdowney/private_address_check/pull/3
GEM
SEVERITY
PATCHED VERSIONS
>= 0.4.1
DESCRIPTION
The private_address_check ruby gem before 0.4.1 is vulnerable to a bypass due to an incomplete blacklist of common private/local network addresses used to prevent server-side request forgery.