CVE-2021-29921 Information

Description

In Python before 395 the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://github.com/python/cpython/pull/25099 https://sick.codes/sick-2021-014 https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html https://github.com/sickcodes https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md https://github.com/python/cpython/pull/12577 https://docs.python.org/3/library/ipaddress.html https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst https://bugs.python.org/issue36384 https://security.netapp.com/advisory/ntap-20210622-0003/ https://www.oracle.com//security-alerts/cpujul2021.html https://www.oracle.com/security-alerts/cpuoct2021.html https://www.oracle.com/security-alerts/cpujan2022.html https://www.oracle.com/security-alerts/cpuapr2022.html

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8