Time of Check Time of Use (TOCTOU)

Affecting private_address_check gem, versions <0.5.0

Overview

private_address_check checks if a IP or hostname would cause a request to a private network (RFC 1918).

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU) attacks. The address that was used by the socket was not sufficiently checked.

Remediation

Upgrade private_address_check to version 0.5.0 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

3.7
low severity
  • Attack Vector
    Network
  • Attack Complexity
    High
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    Low
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Credit
Unknown
CVE
CVE-2018-3759
CWE
CWE-367
Snyk ID
SNYK-RUBY-PRIVATEADDRESSCHECK-22028
Disclosed
04 May, 2018
Published
10 Jun, 2018