CVE-2023-42282

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2023-42282
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html Exploit Third Party Advisory
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 Patch
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ Exploit Technical Description
https://security.netapp.com/advisory/ntap-20240315-0008/ Third Party Advisory
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:fedorindutny:ip:*:*:*:*:*:node.js:*:*
cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:node.js:*:*
History

03 Jul 2024, 22:15

Type Values Removed Values Added
References
  • () https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/ -

15 Mar 2024, 19:25

Type Values Removed Values Added
References () https://security.netapp.com/advisory/ntap-20240315-0008/ - () https://security.netapp.com/advisory/ntap-20240315-0008/ - Third Party Advisory
CPE cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:*:*:* cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:node.js:*:*

15 Mar 2024, 11:15

Type Values Removed Values Added
References
  • () https://security.netapp.com/advisory/ntap-20240315-0008/ -

06 Mar 2024, 15:26

Type Values Removed Values Added
CPE cpe:2.3:a:fedorindutny:ip:2.0.0:*:*:*:*:*:*:*
References () https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 - () https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 - Patch
References () https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ - () https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ - Exploit, Technical Description

03 Mar 2024, 00:15

Type Values Removed Values Added
References
  • () https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 -
  • () https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ -
Summary (en) An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function. (en) The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

15 Feb 2024, 03:27

Type Values Removed Values Added
CPE cpe:2.3:a:fedorindutny:ip:*:*:*:*:*:node.js:*:*
CWE CWE-918
First Time Fedorindutny
Fedorindutny ip
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.8
References () https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html - () https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html - Exploit, Third Party Advisory

08 Feb 2024, 18:42

Type Values Removed Values Added
New CVE
Information

Published : 2024-02-08 17:15

Updated : 2024-07-03 22:15

NVD link : CVE-2023-42282

Mitre link : CVE-2023-42282

CVE.ORG link : CVE-2023-42282

JSON object : View

Products Affected

fedorindutny

  • ip
CWE
CWE-918

Server-Side Request Forgery (SSRF)