CVE-2023-42282

Published

Last updated

NVD

https://nvd.nist.gov/vuln/detail/CVE-2023-42282

Severity

9.8

Critical

CVSS CVSS_V3

Description

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.

References

https://images.chainguard.dev/security/CGA-wmrg-c2f3-3mxp
https://github.com/advisories/GHSA-78xj-cgh5-2h22
https://images.chainguard.dev/security/CGA-rjph-mh5h-gjxh
https://images.chainguard.dev/security/CGA-h2vc-754j-xjqh
https://images.chainguard.dev/security/CGA-ff5p-6mq6-jqwc
https://images.chainguard.dev/security/CGA-qp42-6597-pf5p
https://images.chainguard.dev/security/CGA-f5wr-mc55-fv79
https://images.chainguard.dev/security/CGA-rjf6-jvph-7436
https://images.chainguard.dev/security/CGA-fvfm-q846-9mcf
https://images.chainguard.dev/security/CGA-272p-x3qw-pg4v
https://images.chainguard.dev/security/CGA-h3gc-8gvv-wx58
https://images.chainguard.dev/security/CGA-r5v2-cqxr-m298
https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
https://security.netapp.com/advisory/ntap-20240315-0008/
https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/
https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894
https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only/
https://security-tracker.debian.org/tracker/CVE-2023-42282

Affected packages

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Private Policy

Product

Chainguard Containers Chainguard Libraries Chainguard VMs Integrations Pricing

Solutions

FedRAMP PCI DSS Golden Images CVE Remediation Public Sector

Customers

Customer Stories Chainguard Reviews

Resources

Events & Webinars Chainguard Courses Documentation Trust Center

Company

About Us Blog Partners Newsroom Careers Legal