CVE-2017-0904

Name of the Vulnerable Software and Affected Versions private address check ruby gem versions prior to 0.4.0

Description The issue arises from the use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures. This method is used to blacklist private network addresses to prevent server-side request forgery, but its OS-dependent nature makes it unsuitable for such security purposes.

Recommendations For private address check ruby gem versions prior to 0.4.0, update to version 0.4.0 or later to resolve the issue. As a temporary workaround, consider disabling the use of the Resolv.getaddresses method until a patch is available. Restrict access to private network addresses to minimize the risk of server-side request forgery.