CVE-2017-0904 - Vulnerability Details

Vendors	Products
Private Address Check Project	Private Address Check

Link	Providers
https://edoverflow.com/2017/ruby-resolv-bug/
https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af
https://github.com/jtdowney/private_address_check/issues/1
https://hackerone.com/reports/287245
https://hackerone.com/reports/287835

Show plain JSON

{"containers": {"cna": {"affected": [{"product": "private_address_check ruby gem", "vendor": "jtdowney", "versions": [{"status": "affected", "version": "Versions before 0.4.0"}]}], "datePublic": "2017-11-05T00:00:00", "descriptions": [{"lang": "en", "value": "The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-242", "description": "Use of Inherently Dangerous Function (CWE-242)", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-11-13T16:57:01", "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "shortName": "hackerone"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/287245"}, {"tags": ["x_refsource_MISC"], "url": "https://edoverflow.com/2017/ruby-resolv-bug/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jtdowney/private_address_check/issues/1"}, {"tags": ["x_refsource_MISC"], "url": "https://hackerone.com/reports/287835"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "support@hackerone.com", "DATE_PUBLIC": "2017-11-05T00:00:00", "ID": "CVE-2017-0904", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "private_address_check ruby gem", "version": {"version_data": [{"version_value": "Versions before 0.4.0"}]}}]}, "vendor_name": "jtdowney"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Use of Inherently Dangerous Function (CWE-242)"}]}]}, "references": {"reference_data": [{"name": "https://hackerone.com/reports/287245", "refsource": "MISC", "url": "https://hackerone.com/reports/287245"}, {"name": "https://edoverflow.com/2017/ruby-resolv-bug/", "refsource": "MISC", "url": "https://edoverflow.com/2017/ruby-resolv-bug/"}, {"name": "https://github.com/jtdowney/private_address_check/issues/1", "refsource": "CONFIRM", "url": "https://github.com/jtdowney/private_address_check/issues/1"}, {"name": "https://hackerone.com/reports/287835", "refsource": "MISC", "url": "https://hackerone.com/reports/287835"}, {"name": "https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af", "refsource": "CONFIRM", "url": "https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T13:25:16.406Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/287245"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://edoverflow.com/2017/ruby-resolv-bug/"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jtdowney/private_address_check/issues/1"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://hackerone.com/reports/287835"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af"}]}]}, "cveMetadata": {"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1", "assignerShortName": "hackerone", "cveId": "CVE-2017-0904", "datePublished": "2017-11-13T17:00:00Z", "dateReserved": "2016-11-30T00:00:00", "dateUpdated": "2024-09-17T01:56:09.414Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{

containers : { »

cna : { »

affected : [ »

0 : { »

product : private_address_check ruby gem (string)

vendor : jtdowney (string)

versions : [ »

0 : { »

status : affected (string)

version : Versions before 0.4.0 (string)

}

]

}

]

datePublic : 2017-11-05T00:00:00 (string)

descriptions : [ »

0 : { »

lang : en (string)

value : The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery. (string)

}

]

problemTypes : [ »

0 : { »

descriptions : [ »

0 : { »

cweId : CWE-242 (string)

description : Use of Inherently Dangerous Function (CWE-242) (string)

lang : en (string)

type : CWE (string)

}

]

}

]

providerMetadata : { »

dateUpdated : 2017-11-13T16:57:01 (string)

orgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

shortName : hackerone (string)

}

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://hackerone.com/reports/287245 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://edoverflow.com/2017/ruby-resolv-bug/ (string)

}

2 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/jtdowney/private_address_check/issues/1 (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

]

url : https://hackerone.com/reports/287835 (string)

}

4 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

]

url : https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af (string)

}

]

x_legacyV4Record : { »

CVE_data_meta : { »

ASSIGNER : support@hackerone.com (string)

DATE_PUBLIC : 2017-11-05T00:00:00 (string)

ID : CVE-2017-0904 (string)

STATE : PUBLIC (string)

}

affects : { »

vendor : { »

vendor_data : [ »

0 : { »

product : { »

product_data : [ »

0 : { »

product_name : private_address_check ruby gem (string)

version : { »

version_data : [ »

0 : { »

version_value : Versions before 0.4.0 (string)

}

]

}

]

}

vendor_name : jtdowney (string)

}

]

}

data_format : MITRE (string)

data_type : CVE (string)

data_version : 4.0 (string)

description : { »

description_data : [ »

0 : { »

lang : eng (string)

value : The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery. (string)

}

]

}

problemtype : { »

problemtype_data : [ »

0 : { »

description : [ »

0 : { »

lang : eng (string)

value : Use of Inherently Dangerous Function (CWE-242) (string)

}

]

}

]

}

references : { »

reference_data : [ »

0 : { »

name : https://hackerone.com/reports/287245 (string)

refsource : MISC (string)

url : https://hackerone.com/reports/287245 (string)

}

1 : { »

name : https://edoverflow.com/2017/ruby-resolv-bug/ (string)

refsource : MISC (string)

url : https://edoverflow.com/2017/ruby-resolv-bug/ (string)

}

2 : { »

name : https://github.com/jtdowney/private_address_check/issues/1 (string)

refsource : CONFIRM (string)

url : https://github.com/jtdowney/private_address_check/issues/1 (string)

}

3 : { »

name : https://hackerone.com/reports/287835 (string)

refsource : MISC (string)

url : https://hackerone.com/reports/287835 (string)

}

4 : { »

name : https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af (string)

refsource : CONFIRM (string)

url : https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af (string)

}

]

}

adp : [ »

0 : { »

providerMetadata : { »

orgId : af854a3a-2127-422b-91ae-364da2661108 (string)

shortName : CVE (string)

dateUpdated : 2024-08-05T13:25:16.406Z (string)

}

title : CVE Program Container (string)

references : [ »

0 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://hackerone.com/reports/287245 (string)

}

1 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://edoverflow.com/2017/ruby-resolv-bug/ (string)

}

2 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/jtdowney/private_address_check/issues/1 (string)

}

3 : { »

tags : [ »

0 : x_refsource_MISC (string)

1 : x_transferred (string)

]

url : https://hackerone.com/reports/287835 (string)

}

4 : { »

tags : [ »

0 : x_refsource_CONFIRM (string)

1 : x_transferred (string)

]

url : https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af (string)

}

]

}

]

}

cveMetadata : { »

assignerOrgId : 36234546-b8fa-4601-9d6f-f4e334aa8ea1 (string)

assignerShortName : hackerone (string)

cveId : CVE-2017-0904 (string)

datePublished : 2017-11-13T17:00:00Z (string)

dateReserved : 2016-11-30T00:00:00 (string)

dateUpdated : 2024-09-17T01:56:09.414Z (string)

state : PUBLISHED (string)

}

dataType : CVE_RECORD (string)

dataVersion : 5.1 (string)

}

Show plain JSON

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:private_address_check_project:private_address_check:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "0201F942-329A-43A4-B384-8A3257C7D6F9", "versionEndExcluding": "0.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery."}, {"lang": "es", "value": "La gema de Ruby private_address_check en versiones anteriores a la 0.4.0 es vulnerable a una omisi\u00f3n debido al uso del m\u00e9todo de Ruby Resolv.getaddresses, que depende del sistema operativo y del que no se deber\u00eda depender para aplicar medidas de seguridad, como cuando se emplea para bloquear direcciones de red privadas para evitar Server-Side Rrequest Forgery."}], "id": "CVE-2017-0904", "lastModified": "2025-04-20T01:37:25.860", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-13T17:29:00.347", "references": [{"source": "support@hackerone.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://edoverflow.com/2017/ruby-resolv-bug/"}, {"source": "support@hackerone.com", "tags": ["Third Party Advisory"], "url": "https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af"}, {"source": "support@hackerone.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jtdowney/private_address_check/issues/1"}, {"source": "support@hackerone.com", "tags": ["Issue Tracking", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://hackerone.com/reports/287245"}, {"source": "support@hackerone.com", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/287835"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://edoverflow.com/2017/ruby-resolv-bug/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/jtdowney/private_address_check/issues/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Mitigation", "Patch", "Third Party Advisory"], "url": "https://hackerone.com/reports/287245"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Permissions Required", "Third Party Advisory"], "url": "https://hackerone.com/reports/287835"}], "sourceIdentifier": "support@hackerone.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-242"}], "source": "support@hackerone.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-755"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{

configurations : [ »

0 : { »

nodes : [ »

0 : { »

cpeMatch : [ »

0 : { »

criteria : cpe:2.3:a:private_address_check_project:private_address_check:*:*:*:*:*:ruby:*:* (string)

matchCriteriaId : 0201F942-329A-43A4-B384-8A3257C7D6F9 (string)

versionEndExcluding : 0.4.0 (string)

vulnerable : true (boolean)

}

]

negate : false (boolean)

operator : OR (string)

}

]

}

]

cveTags : [ *empty* ]

descriptions : [ »

0 : { »

lang : en (string)

value : The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery. (string)

}

1 : { »

lang : es (string)

value : La gema de Ruby private_address_check en versiones anteriores a la 0.4.0 es vulnerable a una omisión debido al uso del método de Ruby Resolv.getaddresses, que depende del sistema operativo y del que no se debería depender para aplicar medidas de seguridad, como cuando se emplea para bloquear direcciones de red privadas para evitar Server-Side Rrequest Forgery. (string)

}

]

id : CVE-2017-0904 (string)

lastModified : 2025-04-20T01:37:25.860 (string)

metrics : { »

cvssMetricV2 : [ »

0 : { »

acInsufInfo : false (boolean)

baseSeverity : MEDIUM (string)

cvssData : { »

accessComplexity : MEDIUM (string)

accessVector : NETWORK (string)

authentication : NONE (string)

availabilityImpact : PARTIAL (string)

baseScore : 6.8 (number)

confidentialityImpact : PARTIAL (string)

integrityImpact : PARTIAL (string)

vectorString : AV:N/AC:M/Au:N/C:P/I:P/A:P (string)

version : 2.0 (string)

}

exploitabilityScore : 8.6 (number)

impactScore : 6.4 (number)

obtainAllPrivilege : false (boolean)

obtainOtherPrivilege : false (boolean)

obtainUserPrivilege : false (boolean)

source : nvd@nist.gov (string)

type : Primary (string)

userInteractionRequired : false (boolean)

}

]

cvssMetricV30 : [ »

0 : { »

cvssData : { »

attackComplexity : HIGH (string)

attackVector : NETWORK (string)

availabilityImpact : HIGH (string)

baseScore : 8.1 (number)

baseSeverity : HIGH (string)

confidentialityImpact : HIGH (string)

integrityImpact : HIGH (string)

privilegesRequired : NONE (string)

scope : UNCHANGED (string)

userInteraction : NONE (string)

vectorString : CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (string)

version : 3.0 (string)

}

exploitabilityScore : 2.2 (number)

impactScore : 5.9 (number)

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

published : 2017-11-13T17:29:00.347 (string)

references : [ »

0 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Issue Tracking (string)

1 : Third Party Advisory (string)

]

url : https://edoverflow.com/2017/ruby-resolv-bug/ (string)

}

1 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af (string)

}

2 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Issue Tracking (string)

1 : Third Party Advisory (string)

]

url : https://github.com/jtdowney/private_address_check/issues/1 (string)

}

3 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Issue Tracking (string)

1 : Mitigation (string)

2 : Patch (string)

3 : Third Party Advisory (string)

]

url : https://hackerone.com/reports/287245 (string)

}

4 : { »

source : support@hackerone.com (string)

tags : [ »

0 : Permissions Required (string)

1 : Third Party Advisory (string)

]

url : https://hackerone.com/reports/287835 (string)

}

5 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Third Party Advisory (string)

]

url : https://edoverflow.com/2017/ruby-resolv-bug/ (string)

}

6 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Third Party Advisory (string)

]

url : https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af (string)

}

7 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Third Party Advisory (string)

]

url : https://github.com/jtdowney/private_address_check/issues/1 (string)

}

8 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Issue Tracking (string)

1 : Mitigation (string)

2 : Patch (string)

3 : Third Party Advisory (string)

]

url : https://hackerone.com/reports/287245 (string)

}

9 : { »

source : af854a3a-2127-422b-91ae-364da2661108 (string)

tags : [ »

0 : Permissions Required (string)

1 : Third Party Advisory (string)

]

url : https://hackerone.com/reports/287835 (string)

}

]

sourceIdentifier : support@hackerone.com (string)

vulnStatus : Deferred (string)

weaknesses : [ »

0 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-242 (string)

}

]

source : support@hackerone.com (string)

type : Secondary (string)

}

1 : { »

description : [ »

0 : { »

lang : en (string)

value : CWE-755 (string)

}

]

source : nvd@nist.gov (string)

type : Primary (string)

}

]

}

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

Metrics

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Medium

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object