Time of Check Time of Use (TOCTOU)

Affecting private_address_check gem, versions <0.5.0

low severity

Overview

private_address_check checks if a IP or hostname would cause a request to a private network (RFC 1918).

Affected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU) attacks. The address that was used by the socket was not sufficiently checked.

Remediation

Upgrade private_address_check to version 0.5.0 or higher.

References

Do your applications use this vulnerable package?

Credit
Unknown
CVE
CVE-2018-3759
CWE
CWE-367
Snyk ID
SNYK-RUBY-PRIVATEADDRESSCHECK-22028
Disclosed
04 May, 2018
Published
10 Jun, 2018