Vulnerabilities > CVE-2023-42282 - Server-Side Request Forgery (SSRF) vulnerability in Fedorindutny IP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
References
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
- https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
- https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
- https://security.netapp.com/advisory/ntap-20240315-0008/
- https://security.netapp.com/advisory/ntap-20240315-0008/
- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/