Server-Side Request Forgery Bypass in Private Address Check Ruby Gem by JTDowney
CVE-2017-0909

9.8CRITICAL

Key Information:

Vendor: Hackerone
Status: Private Address Check Ruby Gem
Vendor: CVE Published:; 16 November 2017

What is CVE-2017-0909?

The Private Address Check Ruby gem prior to version 0.4.1 is susceptible to a bypass vulnerability. This issue arises from an inadequate blacklist of standard private and local network addresses, which are intended to prevent server-side request forgery (SSRF). Exploiting this flaw could lead to unauthorized access and manipulation of internal resources, posing significant risks to systems that rely on this gem for safeguarding against SSRF threats.

Affected Version(s)

private_address_check ruby gem Versions before 0.4.1

References

https://hackerone.com/reports/288950

x_refsource_MISC

https://github.com/jtdowney/private_address_check/pull/3

x_refsource_CONFIRM

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 16, 2017
Vulnerability Reserved
Nov 30, 2016

Hackerone

What is CVE-2017-0909?

Affected Version(s)

References

CVSS V3.1

Timeline