CVE-2023-42282 – nodejs-ip: arbitrary code execution via the isPublic() function

https://notcve.org/view.php?id=CVE-2023-42282

The ip package before 1.1.9 for Node.js might allow SSRF because some IP addresses (such as 0x7f.1) are improperly categorized as globally routable via isPublic. Un problema en el paquete IP NPM v.1.1.8 y anteriores permite a un atacante ejecutar código arbitrario y obtener información confidencial a través de la función isPublic(). A vulnerability was found in the NPM IP Package. This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources. • https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html https://github.com/indutny/node-ip/commit/6a3ada9b471b09d5f0f5be264911ab564bf67894 https://huntr.com/bounties/bfc3b23f-ddc0-4ee7-afab-223b07115ed3 https://security.netapp.com/advisory/ntap-20240315-0008 https://www.bleepingcomputer.com/news/security/dev-rejects-cve-severity-makes-his-github-repo-read-only https://access.redhat.com/security/cve/CVE-2023-42282 https://bugzilla.redhat.com/show_bug.cgi?id=2265161 • CWE-918: Server-Side Request Forgery (SSRF) •