CVE-2021-29921

critical

Description

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

References

https://www.oracle.com/security-alerts/cpuoct2021.html

https://www.oracle.com/security-alerts/cpujan2022.html

https://www.oracle.com/security-alerts/cpuapr2022.html

https://www.oracle.com//security-alerts/cpujul2021.html

https://security.netapp.com/advisory/ntap-20210622-0003/

https://security.gentoo.org/glsa/202305-02

https://github.com/sickcodes

https://github.com/python/cpython/pull/25099

https://github.com/python/cpython/pull/12577

https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst

https://www.tenable.com/blog/oracle-july-2022-critical-patch-update-addresses-188-cves

https://www.oracle.com/security-alerts/cpujul2022.html

https://sick.codes/sick-2021-014

https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md

https://docs.python.org/3/library/ipaddress.html

https://bugs.python.org/issue36384

Details

Source: Mitre, NVD

Published: 2021-05-06

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 7.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

Severity: High

CVSS v3

Base Score: 9.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

EPSS

EPSS: 0.01822

Detections

Analytics