{"id":"CVE-2017-0904","details":"The private_address_check ruby gem before 0.4.0 is vulnerable to a bypass due to use of Ruby's Resolv.getaddresses method, which is OS-dependent and should not be relied upon for security measures, such as when used to blacklist private network addresses to prevent server-side request forgery.","aliases":["GHSA-hxhj-hp9m-qwc4"],"modified":"2026-04-01T23:57:23.995720Z","published":"2017-11-13T17:29:00.347Z","references":[{"type":"ADVISORY","url":"https://github.com/jtdowney/private_address_check/commit/58a0d7fe31de339c0117160567a5b33ad82b46af"},{"type":"REPORT","url":"https://edoverflow.com/2017/ruby-resolv-bug/"},{"type":"REPORT","url":"https://github.com/jtdowney/private_address_check/issues/1"},{"type":"REPORT","url":"https://hackerone.com/reports/287835"},{"type":"FIX","url":"https://hackerone.com/reports/287245"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jtdowney/private_address_check","events":[{"introduced":"0"},{"fixed":"e76cadab736ee5c30d7d4c5220db9d42488d1e1e"},{"fixed":"58a0d7fe31de339c0117160567a5b33ad82b46af"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"0.4.0"}]}}],"versions":["v0.1.0","v0.2.0","v0.3.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2017-0904.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}