Skip to content

private_address_check contains race condition

High severity GitHub Reviewed Published Jul 31, 2018 to the GitHub Advisory Database • Updated Aug 25, 2023

Package

bundler private_address_check (RubyGems)

Affected versions

< 0.5.0

Patched versions

0.5.0

Description

The private_address_check ruby gem before 0.5.0 is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to the address the socket uses not being checked. DNS entries with a TTL of 0 can trigger this case where the initial resolution is a public address but the subsequent resolution is a private address.

References

Published to the GitHub Advisory Database Jul 31, 2018
Reviewed Jun 16, 2020
Last updated Aug 25, 2023

Severity

High

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(32nd percentile)

Weaknesses

CVE ID

CVE-2018-3759

GHSA ID

GHSA-2xvj-j3qh-x8c3

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.