Providing security resources for the Ruby community.
Follow us @rubysec or email us via info at

Advisory Archive


gem: private_address_check
date: 2018-05-03
cve: 2018-3759
title: private_address_check Ruby Gem Time-of-check Time-of-use race condition
description: |
  private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU)
  race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0
  can trigger this case where the initial resolution is a public address by the subsequent
  resolution is a private address.
- ">= 0.5.0"