CVE-2021-29921

critical
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

References

https://github.com/python/cpython/pull/25099

https://sick.codes/sick-2021-014

https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html

https://github.com/sickcodes

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md

https://github.com/python/cpython/pull/12577

https://docs.python.org/3/library/ipaddress.html

https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst

https://bugs.python.org/issue36384

https://security.netapp.com/advisory/ntap-20210622-0003/

https://www.oracle.com//security-alerts/cpujul2021.html

https://www.oracle.com/security-alerts/cpuoct2021.html

Details

Source: MITRE

Published: 2021-05-06

Updated: 2021-11-29

Type: CWE-20

Risk Information

CVSS v2

Base Score: 7.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Impact Score: 6.4

Exploitability Score: 10

Severity: HIGH

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Impact Score: 5.9

Exploitability Score: 3.9

Severity: CRITICAL

Tenable Plugins

View all (13 total)

IDNameProductFamilySeverity
155969Oracle Linux 8 : python38:3.8 / and / python38-devel:3.8 (ELSA-2021-4162)NessusOracle Linux Local Security Checks
critical
155967Oracle Linux 8 : python39:3.9 / and / python39-devel:3.9 (ELSA-2021-4160)NessusOracle Linux Local Security Checks
critical
155200RHEL 8 : python39:3.9 and python39-devel:3.9 (RHSA-2021:4160)NessusRed Hat Local Security Checks
critical
155193RHEL 8 : python38:3.8 and python38-devel:3.8 (RHSA-2021:4162)NessusRed Hat Local Security Checks
critical
155064CentOS 8 : python38:3.8 and python38-devel:3.8 (CESA-2021:4162)NessusCentOS Local Security Checks
critical
155040CentOS 8 : python39:3.9 and python39-devel:3.9 (CESA-2021:4160)NessusCentOS Local Security Checks
critical
154332Oracle Database Server Multiple Vulnerabilities (October 2021 CPU)NessusDatabases
critical
153852Ubuntu 20.04 LTS : Python vulnerability (USN-4973-2)NessusUbuntu Local Security Checks
critical
153002openSUSE 15 Security Update : python39 (openSUSE-SU-2021:2940-1)NessusSuSE Local Security Checks
critical
152997SUSE SLED15 / SLES15 Security Update : python39 (SUSE-SU-2021:2940-1)NessusSuSE Local Security Checks
critical
152781RHEL 7 : rh-python38 (RHSA-2021:3254)NessusRed Hat Local Security Checks
critical
150132Ubuntu 20.04 LTS / 20.10 : Python vulnerability (USN-4973-1)NessusUbuntu Local Security Checks
critical
149825Photon OS 4.0: Python3 PHSA-2021-4.0-0028NessusPhotonOS Local Security Checks
critical