-
-
Notifications
You must be signed in to change notification settings - Fork 236
Expand file tree
/
Copy pathCVE-2017-0905.yml
More file actions
31 lines (30 loc) · 951 Bytes
/
Copy pathCVE-2017-0905.yml
File metadata and controls
31 lines (30 loc) · 951 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
---
gem: recurly
cve: 2017-0905
ghsa: x27v-x225-gq8g
url: https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be
title: SSRF vulnerability in Recurly gem's Resource#find.
date: 2017-11-09
description: |
If you are using the #find method on any of the classes that are derived from
the Resource class and you are passing user input into that method, a
malicious user can force the http client to reach out to a server under their
control. This can lead to leakage of your private API key.
Because of the severity of impact, we are recommending that all users upgrade
to a patched version. We have provided a non-breaking patch for every 2.X
version of the client.
cvss_v3: 9.8
patched_versions:
- "~> 2.0.13"
- "~> 2.1.11"
- "~> 2.2.5"
- "~> 2.3.10"
- "~> 2.4.11"
- "~> 2.5.3"
- "~> 2.6.3"
- "~> 2.7.8"
- "~> 2.8.2"
- "~> 2.9.2"
- "~> 2.10.4"
- "~> 2.11.3"
- ">= 2.12.0"