CVE-2017-0905

high-risk
Published 2017-11-13

The Recurly Client Ruby Library before 2.0.13, 2.1.11, 2.2.5, 2.3.10, 2.4.11, 2.5.4, 2.6.3, 2.7.8, 2.8.2, 2.9.2, 2.10.4, 2.11.3 is vulnerable to a Server-Side Request Forgery vulnerability in the "Resource#find" method that could result in compromise of API keys or other critical resources.

Do I need to act?

-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
+
Fix available
Upgrade to: 1bb0284d6e668b8b3d31167790ed6db1f6ccc4be
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby
Recurly Client Ruby

Affected Vendors

Recurly

References (6)

Vendor Advisory https://dev.recurly.com/page/ruby-updates
Patch https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790...
Permissions Required https://hackerone.com/reports/288635
Vendor Advisory https://dev.recurly.com/page/ruby-updates
Patch https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790...
Permissions Required https://hackerone.com/reports/288635
63
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 2/34 · Minimal
Exposure 29/34 · Critical