blob: c0d395494431cc63788aa352aac404acad81b298 [file] [log] [blame]
id: GO-2023-1526
modules:
- module: github.com/hakobe/paranoidhttp
versions:
- fixed: 0.3.0
vulnerable_at: 0.2.0
packages:
- package: github.com/hakobe/paranoidhttp
symbols:
- safeAddr
summary: Server-side request forgery in github.com/hakobe/paranoidhttp
description: |-
Paranoidhttp before is vulnerable to SSRF because [::] is equivalent to the
127.0.0.1 address, but does not match the filter for private addresses.
cves:
- CVE-2023-24623
ghsas:
- GHSA-v9mp-j8g7-2q6m
references:
- web: https://github.com/hakobe/paranoidhttp/blob/master/CHANGELOG.md#v030-2023-01-19
- fix: https://github.com/hakobe/paranoidhttp/commit/07f671da14ce63a80f4e52432b32e8d178d75fd3
- web: https://github.com/hakobe/paranoidhttp/compare/v0.2.0...v0.3.0
review_status: REVIEWED