private_address_check vulnerable to bypass of Resolv.getaddresses method
Moderate severity
GitHub Reviewed
Published
Nov 29, 2017
to the GitHub Advisory Database
•
Updated Jan 23, 2023
Description
Published to the GitHub Advisory Database
Nov 29, 2017
Reviewed
Jun 16, 2020
Last updated
Jan 23, 2023
The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's
Resolv.getaddressesmethod, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.References