Vulnerabilities > CVE-2020-28360 - Server-Side Request Forgery (SSRF) vulnerability in Private-Ip Project Private-Ip

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

private-ip-project

CWE-918

NVD

Published: 2020-11-23

Updated: 2021-07-15

Summary

Insufficient RegEx in private-ip npm package v1.0.5 and below insufficiently filters reserved IP ranges resulting in indeterminate SSRF. An attacker can perform a large range of requests to ARIN reserved IP ranges, resulting in an indeterminable number of critical attack vectors, allowing remote attackers to request server-side resources or potentially execute arbitrary code through various SSRF techniques.

Vulnerable Configurations

Part	Description	Count
Application	Private-Ip_Project Private IP Project Private IP 0.1.0 Private IP Project Private IP 1.0.0 Private IP Project Private IP 1.0.1 Private IP Project Private IP 1.0.2 Private IP Project Private IP 1.0.5	5

Common Weakness Enumeration (CWE)

CWE-918 - Server-Side Request Forgery (SSRF)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References