Home Cyber Crime Serious Netmask vulnerability found to affect three Perl IP modules

Serious Netmask vulnerability found to affect three Perl IP modules


The flaw, which may result in SSRF, has now been patched

Serious Netmask vulnerability found to affect three Perl IP modules

A trio of Perl modules are probably weak to a critical upstream safety flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP community blocks.

The affected CPAN modules embrace Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP tackle illustration; and Data-Validate-IP, an IPv4 and IPv6 validator, stated Perl developer Dave Rolsky in a blog post revealed yesterday (March 29).

Safety implications

As reported by The Each day Swig, the potentially “catastrophic” security vulnerability in Netmask, an NPM package deal, may result in server-side request forgery (SSRF) in downstream functions.

The nine-year outdated, unauthenticated flaw has been remediated in Netmask v2.0, issued on March 20.

BACKGROUND SSRF vulnerability in NPM package Netmask impacts up to 279k projects

The improper enter validation bug, which probably impacts as much as 279,000 GitHub tasks, signifies that parsing an IP tackle with a number one zero ends in Netmask seeing a completely completely different IP.

Information-Validate-IP mitigation

Though Information-Validate-IP doesn’t misparse octal numbers, it may nonetheless be inclined to the Netmask flaw “relying on precisely how your code makes use of this distro”, stated Rolsky.

“This distribution returns false for any technique that features an octal quantity,” explains Rolsky. “So each and return false.

Read more of the latest SSRF attacks and exploits

“I up to date the documentation to explicitly suggest that you just at all times name along with calling a way like ,” stated the developer.

Rolsky additionally famous that Web-CIDR-Lite is at present not being maintained till a brand new volunteer is discovered.

Different CPAN modules used for working with IP addresses and netmasks – Socket, Web-DNS, NetAddr-IP, Web-Subnet, and Web-Patricia – seem like unaffected, he added.

The Each day Swig has contacted Dave Rolsky for additional remark and this text might be up to date ought to we obtain a response.

RELATED Backdoor planted in PHP Git repository after server hack

Source link