Skip to content

Patch 1 #60

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
asd0086 wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Patch 1 #60

asd0086 wants to merge 2 commits into from

Conversation

@asd0086
Copy link

@asd0086 asd0086 commented Jun 12, 2021

No description provided.

sickcodes and others added 2 commits November 26, 2020 07:57
@sickcodes
CVE-2020-28360 - Critical Changes made to private-ip
09912f1 
See: frenchbread/private-ip#3

Please help https://github.com/frenchbread/private-ip by including IPv6 if you can.

### Official CVE Links:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28360

https://nvd.nist.gov/vuln/detail/CVE-2020-28360

### Summary

This is important information for developers and companies that use private-ip: https://www.npmjs.com/package/private-ip

The previous version has been changed to use another package called netmask: https://www.npmjs.com/package/netmask

The ranges now used are the ARIN reserved ranges: https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml

### Problems

Critically important is that this no longer has IPv6 reserved IP range exclusions, so if someone would like to submit a PR that would be fantastic.

This may cause problems if your application is used internally and in some way is using the vulnerability as a feature.

Most importantly is that applications using private-ip may be susceptible to server-side request forgery.

More detailed explanations can be found:

https://johnjhacking.com/blog/cve-2020-28360/

https://github.com/sickcodes/security/blob/master/advisories/SICK-2020-022.md

### How to Test if your application is vlnerable to SSRF

Create requests using the following reserved IP's:

```
0.0.0.0
0.0.0.1
0.0.0.255
0.0.0.7
0.0.255.255
0.1.255.255
0.15.255.255
0.255.255.254
0.255.255.255
0.63.255.255
100.127.255.254
100.127.255.255
100.64.0.0
100.64.0.1
192.0.0.0
192.0.0.1
192.0.0.10
192.0.0.11
192.0.0.170
192.0.0.171
192.0.0.254
192.0.0.255
192.0.0.6
192.0.0.7
192.0.0.8
192.0.0.9
192.0.2.0
192.0.2.1
192.0.2.254
192.0.2.255
192.175.48.0
192.175.48.1
192.175.48.254
192.175.48.255
192.31.196.0
192.31.196.1
192.31.196.254
192.31.196.255
192.52.193.0
192.52.193.1
192.52.193.254
192.52.193.255
192.88.99.0
192.88.99.1
192.88.99.254
192.88.99.255
198.18.0.0
198.18.0.1
198.19.255.254
198.19.255.255
198.51.100.0
198.51.100.1
198.51.100.254
198.51.100.255
203.0.113.0
203.0.113.1
203.0.113.254
203.0.113.255
240.0.0.0
240.0.0.1
255.0.0.0
255.192.0.0
255.240.0.0
255.254.0.0
255.255.0.0
255.255.255.0
255.255.255.248
255.255.255.254
255.255.255.255
0000.0000.0000.0000
```
@asd0086
Create index
bb14c07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

size/XS

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@asd0086 @sickcodes