VIR Vulnerability Intelligence Relay

CVE-2017-0905

critical
Published 2017-11-09 · Modified 2024-02-16
CVSS v3
9.8
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v2
7.5
VIR risk
9.8

Description

Recurly gem Server-Side Request Forgery in Resource#find method

Predictions

Exploit likelihood
97%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — https://github.com/recurly/recurly-client-ruby/commit/1bb0284d6e668b8b3d31167790ed6db1f6ccc4be

vendor Authored 2026-05-27

Vendor advisory: support@hackerone.com — https://dev.recurly.com/page/ruby-updates

Package impact
EcosystemPackageVulnerableFixed
ruby RubyGemsrecurly<~> 2.0.13~> 2.0.13
ruby RubyGemsrecurly>=2.3.0,<2.3.102.3.10
ruby RubyGemsrecurly>=2.2.0,<2.2.52.2.5
ruby RubyGemsrecurly>=2.1.0,<2.1.112.1.11
ruby RubyGemsrecurly>=2.0.0,<2.0.132.0.13
ruby RubyGemsrecurly>=2.9.0,<2.9.22.9.2
ruby RubyGemsrecurly>=2.8.0,<2.8.22.8.2
ruby RubyGemsrecurly>=2.7.0,<2.7.82.7.8
ruby RubyGemsrecurly>=2.6.0,<2.6.32.6.3
ruby RubyGemsrecurly>=2.5.0,<2.5.42.5.4
ruby RubyGemsrecurly>=2.4.0,<2.4.112.4.11
ruby RubyGemsrecurly>=2.11.0,<2.11.32.11.3
ruby RubyGemsrecurly>=2.10.0,<2.10.42.10.4

Application impact
VendorProductVersionsFixed
recurlyrecurly_client_ruby2.0.0
recurlyrecurly_client_ruby2.0.1
recurlyrecurly_client_ruby2.0.2
recurlyrecurly_client_ruby2.0.3
recurlyrecurly_client_ruby2.0.4
recurlyrecurly_client_ruby2.0.5
recurlyrecurly_client_ruby2.0.6
recurlyrecurly_client_ruby2.0.7
recurlyrecurly_client_ruby2.0.8
recurlyrecurly_client_ruby2.0.9
recurlyrecurly_client_ruby2.0.10
recurlyrecurly_client_ruby2.0.11
recurlyrecurly_client_ruby2.0.12
recurlyrecurly_client_ruby2.1.0
recurlyrecurly_client_ruby2.1.1
recurlyrecurly_client_ruby2.1.2
recurlyrecurly_client_ruby2.1.3
recurlyrecurly_client_ruby2.1.4
recurlyrecurly_client_ruby2.1.5
recurlyrecurly_client_ruby2.1.6
recurlyrecurly_client_ruby2.1.7
recurlyrecurly_client_ruby2.1.8
recurlyrecurly_client_ruby2.1.9
recurlyrecurly_client_ruby2.1.10
recurlyrecurly_client_ruby2.2.0
recurlyrecurly_client_ruby2.2.1
recurlyrecurly_client_ruby2.2.2
recurlyrecurly_client_ruby2.2.3
recurlyrecurly_client_ruby2.2.4
recurlyrecurly_client_ruby2.3.0
recurlyrecurly_client_ruby2.3.1
recurlyrecurly_client_ruby2.3.2
recurlyrecurly_client_ruby2.3.3
recurlyrecurly_client_ruby2.3.4
recurlyrecurly_client_ruby2.3.5
recurlyrecurly_client_ruby2.3.6
recurlyrecurly_client_ruby2.3.7
recurlyrecurly_client_ruby2.3.8
recurlyrecurly_client_ruby2.3.9
recurlyrecurly_client_ruby2.4.0
recurlyrecurly_client_ruby2.4.1
recurlyrecurly_client_ruby2.4.2
recurlyrecurly_client_ruby2.4.3
recurlyrecurly_client_ruby2.4.4
recurlyrecurly_client_ruby2.4.5
recurlyrecurly_client_ruby2.4.6
recurlyrecurly_client_ruby2.4.7
recurlyrecurly_client_ruby2.4.8
recurlyrecurly_client_ruby2.4.9
recurlyrecurly_client_ruby2.4.10
recurlyrecurly_client_ruby2.5.0
recurlyrecurly_client_ruby2.5.1
recurlyrecurly_client_ruby2.5.2
recurlyrecurly_client_ruby2.5.3
recurlyrecurly_client_ruby2.6.0
recurlyrecurly_client_ruby2.6.1
recurlyrecurly_client_ruby2.6.2
recurlyrecurly_client_ruby2.7.0
recurlyrecurly_client_ruby2.7.1
recurlyrecurly_client_ruby2.7.2
recurlyrecurly_client_ruby2.7.3
recurlyrecurly_client_ruby2.7.4
recurlyrecurly_client_ruby2.7.5
recurlyrecurly_client_ruby2.7.6
recurlyrecurly_client_ruby2.7.7
recurlyrecurly_client_ruby2.8.0
recurlyrecurly_client_ruby2.8.1
recurlyrecurly_client_ruby2.9.0
recurlyrecurly_client_ruby2.9.1
recurlyrecurly_client_ruby2.10.0
recurlyrecurly_client_ruby2.10.1
recurlyrecurly_client_ruby2.10.2
recurlyrecurly_client_ruby2.10.3
recurlyrecurly_client_ruby2.11.0
recurlyrecurly_client_ruby2.11.1
recurlyrecurly_client_ruby2.11.2

References

CWEs

CWE-918

Verify integrity in audit chain (admin only). AS-IS.