Skip to content

private_address_check contains race condition

High severity GitHub Reviewed Published Jul 31, 2018 to the GitHub Advisory Database • Updated Aug 25, 2023

Package

bundler private_address_check (RubyGems)

Affected versions

< 0.5.0

Patched versions

0.5.0

Description

The private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address.

References

Published to the GitHub Advisory Database Jul 31, 2018
Reviewed Jun 16, 2020
Last updated Aug 25, 2023

Severity

High

EPSS score

0.085%
(38th percentile)

Weaknesses

CVE ID

CVE-2018-3759

GHSA ID

GHSA-2xvj-j3qh-x8c3
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.