{"schema_version":"1.3.1","id":"GO-2023-1526","modified":"2024-05-20T16:03:47Z","published":"2023-02-14T16:19:07Z","aliases":["CVE-2023-24623","GHSA-v9mp-j8g7-2q6m"],"summary":"Server-side request forgery in github.com/hakobe/paranoidhttp","details":"Paranoidhttp before is vulnerable to SSRF because [::] is equivalent to the 127.0.0.1 address, but does not match the filter for private addresses.","affected":[{"package":{"name":"github.com/hakobe/paranoidhttp","ecosystem":"Go"},"ranges":[{"type":"SEMVER","events":[{"introduced":"0"},{"fixed":"0.3.0"}]}],"ecosystem_specific":{"imports":[{"path":"github.com/hakobe/paranoidhttp","symbols":["safeAddr"]}]}}],"references":[{"type":"WEB","url":"https://github.com/hakobe/paranoidhttp/blob/master/CHANGELOG.md#v030-2023-01-19"},{"type":"FIX","url":"https://github.com/hakobe/paranoidhttp/commit/07f671da14ce63a80f4e52432b32e8d178d75fd3"},{"type":"WEB","url":"https://github.com/hakobe/paranoidhttp/compare/v0.2.0...v0.3.0"}],"database_specific":{"url":"https://pkg.go.dev/vuln/GO-2023-1526","review_status":"REVIEWED"}}