Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2017-0905 (GCVE-0-2017-0905)
Vulnerability from cvelistv5 – Published: 2017-11-13 17:00 – Updated: 2024-09-16 23:56
VLAI?
EPSS
Summary
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource#find" method that could result in compromise of API keys or other critical resources.
Severity ?
No CVSS data available.
CWE
- CWE-918 - Server-Side Request Forgery (SSRF) (CWE-918)
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Recurly | recurly ruby gem |
Affected:
Versions before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T13:25:17.133Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://dev.recurly.com/page/ruby-updates"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://hackerone.com/reports/288635"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "recurly ruby gem",
"vendor": "Recurly",
"versions": [
{
"status": "affected",
"version": "Versions before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3"
}
]
}
],
"datePublic": "2017-11-06T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource#find\" method that could result in compromise of API keys or other critical resources."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF) (CWE-918)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-11-13T16:57:01.000Z",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://dev.recurly.com/page/ruby-updates"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://hackerone.com/reports/288635"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2017-11-06T00:00:00",
"ID": "CVE-2017-0905",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "recurly ruby gem",
"version": {
"version_data": [
{
"version_value": "Versions before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3"
}
]
}
}
]
},
"vendor_name": "Recurly"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource#find\" method that could result in compromise of API keys or other critical resources."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) (CWE-918)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.recurly.com/page/ruby-updates",
"refsource": "CONFIRM",
"url": "https://dev.recurly.com/page/ruby-updates"
},
{
"name": "https://hackerone.com/reports/288635",
"refsource": "MISC",
"url": "https://hackerone.com/reports/288635"
},
{
"name": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be",
"refsource": "CONFIRM",
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2017-0905",
"datePublished": "2017-11-13T17:00:00.000Z",
"dateReserved": "2016-11-30T00:00:00.000Z",
"dateUpdated": "2024-09-16T23:56:22.112Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2017-0905
Vulnerability from fkie_nvd - Published: 2017-11-13 17:29 - Updated: 2025-04-20 01:37
Severity ?
Summary
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource#find" method that could result in compromise of API keys or other critical resources.
References
| URL | Tags | ||
|---|---|---|---|
| support@hackerone.com | https://dev.recurly.com/page/ruby-updates | Vendor Advisory | |
| support@hackerone.com | https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be | Patch, Third Party Advisory | |
| support@hackerone.com | https://hackerone.com/reports/288635 | Permissions Required | |
| af854a3a-2127-422b-91ae-364da2661108 | https://dev.recurly.com/page/ruby-updates | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be | Patch, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://hackerone.com/reports/288635 | Permissions Required |
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.0:*:*:*:*:*:*:*",
"matchCriteriaId": "D2111C93-1F01-4B79-B731-14E639037521",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BE0E6539-B427-4F49-8F7D-9D7778E2174B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D1DCAD09-8071-4965-88B6-64D83F9FEDB2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "BE1A049E-4B43-4FF8-9AFC-803A85ABF7AA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6C1515F4-4B33-4A04-8448-A2E4397B1581",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5215C59F-D763-41F4-9673-77B64481DF16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "667CAF6A-2F8D-498A-9797-CEB2C457F967",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.7:*:*:*:*:*:*:*",
"matchCriteriaId": "78812028-9678-48FF-83B4-C6BA0DA5ED95",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.8:*:*:*:*:*:*:*",
"matchCriteriaId": "3BC2ABD2-E685-45E4-A423-909DF3C8FABE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.9:*:*:*:*:*:*:*",
"matchCriteriaId": "1169885A-59C3-40B8-AC53-625A20A40295",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.10:*:*:*:*:*:*:*",
"matchCriteriaId": "B660902B-353C-4917-A607-3DEBB076B130",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.11:*:*:*:*:*:*:*",
"matchCriteriaId": "8CE4D650-30B2-461C-BB58-E56112B21E16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.12:*:*:*:*:*:*:*",
"matchCriteriaId": "429B0B74-B230-428A-BF7D-FDE45FACBA7E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "62D6ED01-8289-4F93-ADC6-0E5C5E8BD348",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.0:c:*:*:*:*:*:*",
"matchCriteriaId": "13ABB028-6997-40DC-B61E-27238BEF99A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3746FE6C-CE9F-4267-871D-D585CD404305",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "F725D5E4-E81F-4DB7-AE22-F9A36872CC75",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "29351445-7C64-4409-9B5E-5AEBB96FC4C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "8516A98B-AE81-48A9-BBBA-9F050FE0AD60",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "7B6F5715-A3D5-4CCC-9645-AFB56E26FD5E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "3FD7D5EB-4C42-4966-ACAA-185DA5ECB72A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4C65414F-75FC-4C15-8265-F73E9BFAB067",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.8:*:*:*:*:*:*:*",
"matchCriteriaId": "16944240-53F2-4F7D-9C29-DF2B0CA5C763",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.9:*:*:*:*:*:*:*",
"matchCriteriaId": "ED1A64D2-F06A-490B-8D59-B6F9B83E9152",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.10:*:*:*:*:*:*:*",
"matchCriteriaId": "58881236-C96F-461C-BFE0-5880039C1203",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DC547D0F-E1FB-4C19-A3D0-D3FC48E4EDB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "99AFBA9B-BFA3-494C-90B9-55F3D18604DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "066D3983-6BF1-4416-B87E-725122DF82EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A9FBEB10-5B34-47F6-85BC-8995CE77AC05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.4:*:*:*:*:*:*:*",
"matchCriteriaId": "869018B3-4286-4D34-B69F-4749A61DC1A5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "95919D64-1B0F-4005-BDF8-C390DBA181E4",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "0F8A6E88-C153-440B-AEC6-EBA2BFD3E2E5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2F8F03AC-BD84-4D2A-B6DC-94BF509C3C67",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E288DC42-7D2E-404D-85FF-CA02CFD16164",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "9E53C11E-E506-4113-95D8-C526E70A2AAA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "D5BC2A4D-D523-4B82-872C-EF2D1F70992D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "33692513-74D9-472C-B3D3-54F06C835832",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.6:*:*:*:*:*:*:*",
"matchCriteriaId": "09210851-79D4-49B5-994E-07E40C489D16",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.7:*:*:*:*:*:*:*",
"matchCriteriaId": "8021F44A-CD23-4D15-9411-20F0E28C7D25",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A9C5ADAE-E620-4440-8C3D-D071A279FB2E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.9:*:*:*:*:*:*:*",
"matchCriteriaId": "A810DF15-CCDF-4D5E-A3A2-4DF852D9CBF4",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "8D427209-016F-4115-9447-7F96875A7D86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "36D5AD56-959D-4990-9B43-170D9083CDF3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "78789F09-77A2-4A86-882D-DEA4E52ED6C9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0737A57D-411D-4BB5-83FC-15900B0D9150",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.4:*:*:*:*:*:*:*",
"matchCriteriaId": "633161B1-1E51-40E9-8EE2-9EDCDDA653D2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "9E2CC4EA-8D08-42D8-A822-78042CD7946D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "91083CF3-8A5C-4178-A91A-BB6DE3C2BAF0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.7:*:*:*:*:*:*:*",
"matchCriteriaId": "D9BC8E96-C437-4016-8A22-F402BF6B8E19",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.8:*:*:*:*:*:*:*",
"matchCriteriaId": "A9E8AD18-59DF-45BD-AB25-F62CAEC223FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.9:*:*:*:*:*:*:*",
"matchCriteriaId": "D2BDD100-4A8E-4700-9377-22AB1483E76C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.10:*:*:*:*:*:*:*",
"matchCriteriaId": "1E580467-9DC2-43CC-8C00-92BCFC4DA49A",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.0:*:*:*:*:*:*:*",
"matchCriteriaId": "01596D40-6039-4626-AF32-FE4C217EE120",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "ED738A23-EB6C-4BAF-9CDF-209C6EF8E70D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "26315E34-0869-4A18-B9E7-4E3306FAB4B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "881A7D1C-769C-4B10-9034-E017CD300280",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "B4775539-0309-4FEA-BE79-2D45FE4E0B7C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7E684118-BCA4-4A8F-A49C-87B06294523F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.6.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D24E0F3B-EA8D-4D67-B16E-244E8954155F",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEF8F56B-BEF3-4276-9B38-C8C1A0867B00",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6A41F7A0-B271-4060-80F2-8E6B2B6051E1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.2:*:*:*:*:*:*:*",
"matchCriteriaId": "FE24079A-61D1-411E-BAA7-6B75251CAAC5",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "81EFB16F-267E-417A-AF3E-E20E674FC59D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7E3C6786-1E84-4906-BE56-938FEC02E7FE",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "928F451E-6416-455C-8F3E-56FC918A3AC3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "E3C38ACD-05EB-4EDE-8BDC-CDEA4EDF4C78",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "0148307A-7F03-4B83-BAC5-A090B534DD9B",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.0:*:*:*:*:*:*:*",
"matchCriteriaId": "665A2524-FA33-4BF1-B496-160964DB71D1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.0:rc1:*:*:*:*:*:*",
"matchCriteriaId": "5F4373D8-DBC3-4B3C-A911-2EEC94668694",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.0:rc3:*:*:*:*:*:*",
"matchCriteriaId": "50F53821-6B2E-47B5-898A-72BA03DE9889",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "429C418A-A716-4A8D-A8FD-5A895F4BBA11",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "5EE4E79E-5DD5-48D7-8254-14CF61EEAA8E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.9.1:*:*:*:*:*:*:*",
"matchCriteriaId": "CF88DD8B-3243-484E-9ED5-BF5C99D69D25",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.0:*:*:*:*:*:*:*",
"matchCriteriaId": "9FD6D773-CF96-4E8C-82FC-187116AEE584",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.1:*:*:*:*:*:*:*",
"matchCriteriaId": "2FA30686-C9AA-4031-B2F9-C5779B34D8DB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B8FFF737-4974-43C8-8C2F-475BFB05CA9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5BACB549-4C65-4B09-8C0F-ABC662B52016",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "1607963B-FBC3-4A32-A2D8-9ACBAFD97962",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "002E6140-C28B-4CDE-8EFF-90CB4768F4CF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:recurly:recurly_client_ruby:2.11.2:*:*:*:*:*:*:*",
"matchCriteriaId": "9C509480-F8E5-4A7D-ADA7-235D5F2C8A94",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource#find\" method that could result in compromise of API keys or other critical resources."
},
{
"lang": "es",
"value": "La biblioteca de Ruby Recurly Client en versiones anteriores a la 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4 y 2.11.3 es vulnerable a Server-Side Request Forgery en el m\u00e9todo \"Resource#find\" que podr\u00eda conllevar el compromiso de las claves API o de otros recursos cr\u00edticos."
}
],
"id": "CVE-2017-0905",
"lastModified": "2025-04-20T01:37:25.860",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2017-11-13T17:29:00.427",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.recurly.com/page/ruby-updates"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
},
{
"source": "support@hackerone.com",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/288635"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.recurly.com/page/ruby-updates"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/288635"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-X27V-X225-GQ8G
Vulnerability from github – Published: 2017-12-06 16:43 – Updated: 2023-08-29 15:38
VLAI?
Summary
Recurly gem Server-Side Request Forgery in Resource#find method
Details
The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the Resource#find method that could result in compromise of API keys or other critical resources.
Severity ?
9.8 (Critical)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.3.10"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.2.0"
},
{
"fixed": "2.2.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.1.0"
},
{
"fixed": "2.1.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.13"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.9.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.8.0"
},
{
"fixed": "2.8.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.7.0"
},
{
"fixed": "2.7.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.6.0"
},
{
"fixed": "2.6.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.5.0"
},
{
"fixed": "2.5.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.4.0"
},
{
"fixed": "2.4.11"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.11.0"
},
{
"fixed": "2.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly"
},
"ranges": [
{
"events": [
{
"introduced": "2.10.0"
},
{
"fixed": "2.10.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-0905"
],
"database_specific": {
"cwe_ids": [
"CWE-918"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:01:40Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the `Resource#find` method that could result in compromise of API keys or other critical resources.",
"id": "GHSA-x27v-x225-gq8g",
"modified": "2023-08-29T15:38:45Z",
"published": "2017-12-06T16:43:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-0905"
},
{
"type": "WEB",
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/288635"
},
{
"type": "PACKAGE",
"url": "https://github.com/recurly/recurly-client-ruby"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/recurly/CVE-2017-0905.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Recurly gem Server-Side Request Forgery in Resource#find method"
}
GSD-2017-0905
Vulnerability from gsd - Updated: 2017-11-09 00:00Details
If you are using the #find method on any of the classes that are derived from
the Resource class and you are passing user input into that method, a
malicious user can force the http client to reach out to a server under their
control. This can lead to leakage of your private API key.
Because of the severity of impact, we are recommending that all users upgrade
to a patched version. We have provided a non-breaking patch for every 2.X
version of the client.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-0905",
"description": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource#find\" method that could result in compromise of API keys or other critical resources.",
"id": "GSD-2017-0905"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "recurly",
"purl": "pkg:gem/recurly"
}
}
],
"aliases": [
"CVE-2017-0905",
"GHSA-x27v-x225-gq8g"
],
"details": "If you are using the #find method on any of the classes that are derived from\nthe Resource class and you are passing user input into that method, a\nmalicious user can force the http client to reach out to a server under their\ncontrol. This can lead to leakage of your private API key.\n\nBecause of the severity of impact, we are recommending that all users upgrade\nto a patched version. We have provided a non-breaking patch for every 2.X\nversion of the client.\n",
"id": "GSD-2017-0905",
"modified": "2017-11-09T00:00:00.000Z",
"published": "2017-11-09T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.8,
"type": "CVSS_V3"
}
],
"summary": "SSRF vulnerability in Recurly gem\u0027s Resource#find."
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2017-11-06T00:00:00",
"ID": "CVE-2017-0905",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "recurly ruby gem",
"version": {
"version_data": [
{
"version_value": "Versions before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3"
}
]
}
}
]
},
"vendor_name": "Recurly"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource#find\" method that could result in compromise of API keys or other critical resources."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Server-Side Request Forgery (SSRF) (CWE-918)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://dev.recurly.com/page/ruby-updates",
"refsource": "CONFIRM",
"url": "https://dev.recurly.com/page/ruby-updates"
},
{
"name": "https://hackerone.com/reports/288635",
"refsource": "MISC",
"url": "https://hackerone.com/reports/288635"
},
{
"name": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be",
"refsource": "CONFIRM",
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2017-0905",
"cvss_v3": 9.8,
"date": "2017-11-09",
"description": "If you are using the #find method on any of the classes that are derived from\nthe Resource class and you are passing user input into that method, a\nmalicious user can force the http client to reach out to a server under their\ncontrol. This can lead to leakage of your private API key.\n\nBecause of the severity of impact, we are recommending that all users upgrade\nto a patched version. We have provided a non-breaking patch for every 2.X\nversion of the client.\n",
"gem": "recurly",
"ghsa": "x27v-x225-gq8g",
"patched_versions": [
"~\u003e 2.0.13",
"~\u003e 2.1.11",
"~\u003e 2.2.5",
"~\u003e 2.3.10",
"~\u003e 2.4.11",
"~\u003e 2.5.3",
"~\u003e 2.6.3",
"~\u003e 2.7.8",
"~\u003e 2.8.2",
"~\u003e 2.9.2",
"~\u003e 2.10.4",
"~\u003e 2.11.3",
"\u003e= 2.12.0"
],
"title": "SSRF vulnerability in Recurly gem\u0027s Resource#find.",
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.0.0 \u003c2.0.13||\u003e=2.1.0 \u003c2.1.11||\u003e=2.2.0 \u003c2.2.5||\u003e=2.3.0 \u003c2.3.10||\u003e=2.4.0 \u003c2.4.11||\u003e=2.5.0 \u003c2.5.3||\u003e=2.6.0 \u003c2.6.3||\u003e=2.7.0 \u003c2.7.8||\u003e=2.8.0 \u003c2.8.2||\u003e=2.9.0 \u003c2.9.2||\u003e=2.10.0 \u003c2.10.4||\u003e=2.11.0 \u003c2.11.2",
"affected_versions": "All versions starting from 2.0.0 before 2.0.13, all versions starting from 2.1.0 before 2.1.11, all versions starting from 2.2.0 before 2.2.5, all versions starting from 2.3.0 before 2.3.10, all versions starting from 2.4.0 before 2.4.11, all versions starting from 2.5.0 before 2.5.3, all versions starting from 2.6.0 before 2.6.3, all versions starting from 2.7.0 before 2.7.8, all versions starting from 2.8.0 before 2.8.2, all versions starting from 2.9.0 before 2.10.4, all versions starting from 2.11.0 before 2.11.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"cwe_ids": [
"CWE-1035",
"CWE-918",
"CWE-937"
],
"date": "2019-10-09",
"description": "If you are using the `#find` method on any of the classes that are derived from the `Resource` class and you are passing user input into that method, a malicious user can force the http client to reach out to a server under their control. This can lead to leakage of your private API key.",
"fixed_versions": [
"2.0.13",
"2.1.11",
"2.2.5",
"2.3.10",
"2.4.11",
"2.5.3",
"2.6.3",
"2.7.8",
"2.8.2",
"2.9.2",
"2.10.4",
"2.11.2"
],
"identifier": "CVE-2017-0905",
"identifiers": [
"CVE-2017-0905"
],
"not_impacted": "All versions before 2.0.0, all versions starting from 2.0.13 before 2.1.0, all versions starting from 2.1.11 before 2.2.0, all versions starting from 2.2.5 before 2.3.0, all versions starting from 2.3.10 before 2.4.0, all versions starting from 2.4.11 before 2.5.0, all versions starting from 2.5.3 before 2.6.0, all versions starting from 2.6.3 before 2.7.0, all versions starting from 2.7.8 before 2.8.0, all versions starting from 2.8.2 before 2.9.0, all versions starting from 2.9.2 before 2.10.0, all versions starting from 2.10.4 before 2.11.0, all versions starting from 2.11.2",
"package_slug": "gem/recurly",
"pubdate": "2017-11-13",
"solution": "Upgrade to versions 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.3, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.2 or above.",
"title": "SSRF vulnerability",
"urls": [
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0905",
"https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
],
"uuid": "39ca4ee1-f096-470d-8fa8-ca63c0b40477"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.0:c:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.4.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.6.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.9.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.10.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.11.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:recurly:recurly_client_ruby:2.11.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2017-0905"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the \"Resource#find\" method that could result in compromise of API keys or other critical resources."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-918"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://hackerone.com/reports/288635",
"refsource": "MISC",
"tags": [
"Permissions Required"
],
"url": "https://hackerone.com/reports/288635"
},
{
"name": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be",
"refsource": "CONFIRM",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be"
},
{
"name": "https://dev.recurly.com/page/ruby-updates",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://dev.recurly.com/page/ruby-updates"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "HIGH",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9
}
},
"lastModifiedDate": "2019-10-09T23:21Z",
"publishedDate": "2017-11-13T17:29Z"
}
}
}
CNVD-2017-36531
Vulnerability from cnvd - Published: 2017-12-07
VLAI Severity ?
Title
Recurly Client Ruby库服务器端请求伪造漏洞
Description
Recurly Client Ruby Library是美国Recurly公司的一款用于Recurly的Ruby API封装器。
Recurly Client Ruby Library中的Resource#find方法存在服务器端请求伪造漏洞。攻击者可利用该漏洞控制API密钥或其他重要资源。
Severity
高
Patch Name
Recurly Client Ruby库服务器端请求伪造漏洞的补丁
Patch Description
Recurly Client Ruby Library是美国Recurly公司的一款用于Recurly的Ruby API封装器。
Recurly Client Ruby Library中的Resource#find方法存在服务器端请求伪造漏洞。攻击者可利用该漏洞控制API密钥或其他重要资源。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
厂商已发布漏洞修复程序,请及时关注更新: https://dev.recurly.com/page/ruby-updates
Reference
https://nvd.nist.gov/vuln/detail/CVE-2017-0905
Impacted products
| Name | ['Recurly Client Ruby Library <2.0.13', 'Recurly Client Ruby Library <2.1.11', 'Recurly Client Ruby Library <2.2.5', 'Recurly Client Ruby Library <2.3.10', 'Recurly Client Ruby Library <2.4.11', 'Recurly Client Ruby Library <2.5.4', 'Recurly Client Ruby Library <2.6.3', 'Recurly Client Ruby Library <2.7.8', 'Recurly Client Ruby Library <2.8.2', 'Recurly Client Ruby Library <2.9.2', 'Recurly Client Ruby Library <2.10.4', 'Recurly Client Ruby Library <2.11.3'] |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2017-0905"
}
},
"description": "Recurly Client Ruby Library\u662f\u7f8e\u56fdRecurly\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8eRecurly\u7684Ruby API\u5c01\u88c5\u5668\u3002\r\n\r\nRecurly Client Ruby Library\u4e2d\u7684Resource#find\u65b9\u6cd5\u5b58\u5728\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236API\u5bc6\u94a5\u6216\u5176\u4ed6\u91cd\u8981\u8d44\u6e90\u3002",
"discovererName": "bhelx",
"formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://dev.recurly.com/page/ruby-updates",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2017-36531",
"openTime": "2017-12-07",
"patchDescription": "Recurly Client Ruby Library\u662f\u7f8e\u56fdRecurly\u516c\u53f8\u7684\u4e00\u6b3e\u7528\u4e8eRecurly\u7684Ruby API\u5c01\u88c5\u5668\u3002\r\n\r\nRecurly Client Ruby Library\u4e2d\u7684Resource#find\u65b9\u6cd5\u5b58\u5728\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u63a7\u5236API\u5bc6\u94a5\u6216\u5176\u4ed6\u91cd\u8981\u8d44\u6e90\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Recurly Client Ruby\u5e93\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e\u7684\u8865\u4e01",
"products": {
"product": [
"Recurly Client Ruby Library \u003c2.0.13",
"Recurly Client Ruby Library \u003c2.1.11",
"Recurly Client Ruby Library \u003c2.2.5",
"Recurly Client Ruby Library \u003c2.3.10",
"Recurly Client Ruby Library \u003c2.4.11",
"Recurly Client Ruby Library \u003c2.5.4",
"Recurly Client Ruby Library \u003c2.6.3",
"Recurly Client Ruby Library \u003c2.7.8",
"Recurly Client Ruby Library \u003c2.8.2",
"Recurly Client Ruby Library \u003c2.9.2",
"Recurly Client Ruby Library \u003c2.10.4",
"Recurly Client Ruby Library \u003c2.11.3"
]
},
"referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-0905",
"serverity": "\u9ad8",
"submitTime": "2017-11-14",
"title": "Recurly Client Ruby\u5e93\u670d\u52a1\u5668\u7aef\u8bf7\u6c42\u4f2a\u9020\u6f0f\u6d1e"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…