CVE-2017-0904: Improper Handling of Exceptional Conditions

November 13, 2017 (updated October 9, 2019)

The private_address_check ruby gem is vulnerable to a bypass due to use of Ruby’s Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to exclude private network addresses to prevent server-side request forgery.

References

edoverflow.com/2017/ruby-resolv-bug/
github.com/jtdowney/private_address_check/issues/1
hackerone.com/reports/287245
nvd.nist.gov/vuln/detail/CVE-2017-0904

Detect and mitigate CVE-2017-0904 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →