CVE-2023-42282

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-42282
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html Exploit Third Party Advisory
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 Patch
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ Exploit Technical Description
https://security.netapp.com/advisory/ntap-20240315-0008/ Third Party Advisory
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ Press/Media Coverage
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fedorindutny:ip:*:*:*:*:*:node.js:*:*
cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:node.js:*:*
History

09 Oct 2024, 15:14

Type Values Removed Values Added
References () https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ - () https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ - Press/Media Coverage

03 Jul 2024, 22:15

Type Values Removed Values Added
References
  • () https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ -

15 Mar 2024, 19:25

Type Values Removed Values Added
References () https://security.netapp.com/advisory/ntap-20240315-0008/ - () https://security.netapp.com/advisory/ntap-20240315-0008/ - Third Party Advisory
CPE cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:node.js:*:*

15 Mar 2024, 11:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240315-0008/ -

06 Mar 2024, 15:26

Type Values Removed Values Added
References () https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 - () https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 - Patch
References () https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ - () https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ - Exploit, Technical Description
CPE cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:*:*:*

03 Mar 2024, 00:15

Type Values Removed Values Added
Summary (en) An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. (en) The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
References
  • () https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 -
  • () https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ -

15 Feb 2024, 03:27

Type Values Removed Values Added
References () https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html - () https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html - Exploit, Third Party Advisory
CPE cpe:2.3:a:fedorindutny:ip:*:*:*:*:*:node.js:*:*
First Time Fedorindutny ip
Fedorindutny
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
CWE CWE-918
Summary
  • (es) Un problema en el paquete IP NPM v.1.1.8 y anteriores permite a un atacante ejecutar código arbitrario y obtener información confidencial a través de la función isPublic().

08 Feb 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-08 17:15

Updated : 2024-10-09 15:14

NVD link : CVE-2023-42282

Mitre link : CVE-2023-42282

CVE.ORG link : CVE-2023-42282

JSON object : View

Products Affected

fedorindutny

  • ip
CWE
CWE-918

Server-Side Request Forgery (SSRF)