CVE-2020-28360 - Critical Changes made to private-ip #59
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
See: frenchbread/private-ip#3 Please help https://github.com/frenchbread/private-ip by including IPv6 if you can. ### Official CVE Links: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28360 https://nvd.nist.gov/vuln/detail/CVE-2020-28360 ### Summary This is important information for developers and companies that use private-ip: https://www.npmjs.com/package/private-ip The previous version has been changed to use another package called netmask: https://www.npmjs.com/package/netmask The ranges now used are the ARIN reserved ranges: https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml ### Problems Critically important is that this no longer has IPv6 reserved IP range exclusions, so if someone would like to submit a PR that would be fantastic. This may cause problems if your application is used internally and in some way is using the vulnerability as a feature. Most importantly is that applications using private-ip may be susceptible to server-side request forgery. More detailed explanations can be found: https://johnjhacking.com/blog/cve-2020-28360/ https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-022.md ### How to Test if your application is vlnerable to SSRF Create requests using the following reserved IP's: ``` 0.0.0.0 0.0.0.1 0.0.0.255 0.0.0.7 0.0.255.255 0.1.255.255 0.15.255.255 0.255.255.254 0.255.255.255 0.63.255.255 100.127.255.254 100.127.255.255 100.64.0.0 100.64.0.1 192.0.0.0 192.0.0.1 192.0.0.10 192.0.0.11 192.0.0.170 192.0.0.171 192.0.0.254 192.0.0.255 192.0.0.6 192.0.0.7 192.0.0.8 192.0.0.9 192.0.2.0 192.0.2.1 192.0.2.254 192.0.2.255 192.175.48.0 192.175.48.1 192.175.48.254 192.175.48.255 192.31.196.0 192.31.196.1 192.31.196.254 192.31.196.255 192.52.193.0 192.52.193.1 192.52.193.254 192.52.193.255 192.88.99.0 192.88.99.1 192.88.99.254 192.88.99.255 198.18.0.0 198.18.0.1 198.19.255.254 198.19.255.255 198.51.100.0 198.51.100.1 198.51.100.254 198.51.100.255 203.0.113.0 203.0.113.1 203.0.113.254 203.0.113.255 240.0.0.0 240.0.0.1 255.0.0.0 255.192.0.0 255.240.0.0 255.254.0.0 255.255.0.0 255.255.255.0 255.255.255.248 255.255.255.254 255.255.255.255 0000.0000.0000.0000 ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
复制链接