Merge pull request #3504 from github/G-Rath-GHSA-78xj-cgh5-2h22

github · Feb 12, 2024 · 0200827 · 0200827
2 parents efceb1d + 041801d
commit 0200827
Showing 1 changed file with 21 additions and 2 deletions.
diff --git a/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json b/advisories/github-reviewed/2024/02/GHSA-78xj-cgh5-2h22/GHSA-78xj-cgh5-2h22.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-78xj-cgh5-2h22",
-  "modified": "2024-02-09T15:12:06Z",
+  "modified": "2024-02-09T15:12:07Z",
   "published": "2024-02-08T18:30:39Z",
   "aliases": [
     "CVE-2023-42282"
   ],
   "summary": "NPM IP package vulnerable to Server-Side Request Forgery (SSRF) attacks",
-  "details": "An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.",
+  "details": "An issue in all published versions of the NPM package `ip` allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.",
   "severity": [
 
   ],
@@ -30,6 +30,25 @@
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "ip"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.0.0"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [