Paranoidhttp Server-Side Request Forgery vulnerability · CVE-2023-24623 · GitHub Advisory Database · GitHub

Paranoidhttp Server-Side Request Forgery vulnerability

High severity GitHub Reviewed Published Jan 30, 2023 to the GitHub Advisory Database • Updated May 20, 2024

Package

github.com/hakobe/paranoidhttp (Go)

Affected versions

< 0.3.0

Patched versions

0.3.0

Description

Paranoidhttp before 0.3.0 allows SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.

References

Published by the National Vulnerability Database

Jan 30, 2023

Published to the GitHub Advisory Database Jan 30, 2023

Reviewed Feb 8, 2023

Last updated May 20, 2024

Severity

High

/ 10

CVSS v3 base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N