<p>Upgrade <code>private_address_check</code> to version 0.5.0 or higher.</p>

Time of Check Time of Use (TOCTOU) Affecting private_address_check package, versions <0.5.0

Snyk CVSS

Attack Complexity High

Threat Intelligence

EPSS 0.09% (36^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-PRIVATEADDRESSCHECK-22028
published 10 Jun 2018
disclosed 4 May 2018
credit Unknown

Report a new vulnerability Found a mistake?

Introduced: 4 May 2018

CVE-2018-3759 Open this link in a new tab CWE-367 Open this link in a new tab

How to fix?

Upgrade private_address_check to version 0.5.0 or higher.

Overview

private_address_check checks if a IP or hostname would cause a request to a private network (RFC 1918).

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU) attacks. The address that was used by the socket was not sufficiently checked.

References

GitHub Commit