CVE-2023-42282

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions ip package versions prior to 1.1.9

Description The issue is related to the improper categorization of certain IP addresses as globally routable via the isPublic() function. This can lead to security issues such as Server-Side Request Forgery (SSRF) if isPublic() is used to protect sensitive code paths when passed user input. The vulnerability may allow an attacker to execute arbitrary code and obtain sensitive information.

Recommendations For versions prior to 1.1.9, update to version 1.1.9 or later to resolve the issue. As a temporary workaround, consider restricting the use of the isPublic() function until a patch is available. Avoid using the isPublic() function with user input to minimize the risk of exploitation.

Exploit

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

AZL-34379

AZL-34380

AZL-34439

AZL-35042

BDU:2024-02261

CVE-2023-42282

GHSA-78XJ-CGH5-2H22

USN-6643-1

Affected Products

Bitbucket

Confluence

Debian

Linuxmint

Ubuntu

CVE-2023-42282

Weakness Enumeration

Related Identifiers

Affected Products

References · 43