NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks #46

New Issue

Closed

opened 2024-02-13 04:40:10 +00:00 by argoyle · 0 comments

argoyle commented 2024-02-13 04:40:10 +00:00 (Migrated from gitlab.com)

Copy Link

Copy Source

⚠️ dependabot-gitlab has detected security vulnerability for ip in path: /, manifest_file: /package.json but was unable to update it! ⚠️

• https://github.com/advisories/GHSA-78xj-cgh5-2h22

Package	Severity	Affected versions	Patched versions	IDs
ip (NPM)	HIGH	<= 2.0.0		GHSA-78xj-cgh5-2h22,CVE-2023-42282

Description

An issue in all published versions of the NPM package ip allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.

References

• https://nvd.nist.gov/vuln/detail/CVE-2023-42282
• https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
• https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447
• https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999
• https://github.com/advisories/GHSA-78xj-cgh5-2h22

⚠️ `dependabot-gitlab` has detected security vulnerability for `ip` in path: `/`, manifest_file: `/package.json` but was unable to update it! ⚠️ * https://github.com/advisories/GHSA-78xj-cgh5-2h22 | Package | Severity | Affected versions | Patched versions | IDs | |----------|----------|-------------------|------------------|----------------------------------------| | ip (NPM) | HIGH | <= 2.0.0 | | `GHSA-78xj-cgh5-2h22`,`CVE-2023-42282` | # Description An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses. # References * https://nvd.nist.gov/vuln/detail/CVE-2023-42282 * https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html * https://github.com/JoshGlazebrook/socks/issues/93#issue-2128357447 * https://github.com/github/advisory-database/pull/3504#issuecomment-1937179999 * https://github.com/advisories/GHSA-78xj-cgh5-2h22

argoyle (Migrated from gitlab.com) closed this issue 2024-02-21 04:41:15 +00:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

renovate/vue-router-5.x

renovate-group-stylelint

fix/remove-digest-pinning

remove-gitlab-ci

remove-aws-iam-auth

remove-kubeconfig

kubeconfig-secret

ci-migration

No results found.

Labels

Clear labels

dependencies

Pull requests that update a dependency file

docker

javascript

security

Pull requests that address a security vulnerability

severity:critical

severity:high

severity:low

severity:moderate

No Label security severity:high

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#46