Vulnerability Description
The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
CVSS Score
9.8
CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Fedorindutny | Ip | < 1.1.9 |
Related Weaknesses (CWE)
References
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.htmlExploitThird Party Advisory
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf678Patch
- https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ExploitTechnical Description
- https://security.netapp.com/advisory/ntap-20240315-0008/Third Party Advisory
- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-hiPress/Media Coverage
- https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.htmlExploitThird Party Advisory
- https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf678Patch
- https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3/ExploitTechnical Description
- https://security.netapp.com/advisory/ntap-20240315-0008/Third Party Advisory
- https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-hiPress/Media Coverage
FAQ
What is CVE-2023-42282?
CVE-2023-42282 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic.
How severe is CVE-2023-42282?
CVE-2023-42282 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2023-42282?
Check the references section above for vendor advisories and patch information. Affected products include: Fedorindutny Ip.