CVE-2021-29921

Name
CVE-2021-29921
Description
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
NVD Severity
high
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/python/cpython/pull/25099
MISC https://sick.codes/sick-2021-014
MISC https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
MISC https://github.com/sickcodes
MISC https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
MISC https://github.com/python/cpython/pull/12577
MISC https://docs.python.org/3/library/ipaddress.html
MISC https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
MISC https://bugs.python.org/issue36384
CONFIRM https://security.netapp.com/advisory/ntap-20210622-0003/
N/A https://www.oracle.com//security-alerts/cpujul2021.html
MISC https://www.oracle.com/security-alerts/cpuoct2021.html
Patch https://www.oracle.com/security-alerts/cpujan2022.html
MISC https://www.oracle.com/security-alerts/cpuapr2022.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.8.0: <= 3.10.0:
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.8.0 <= 3.10.0
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.8.0 < 3.9.5
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.8.0 < 3.8.12
cpe:2.3:a:python:python:*:*:*:*:*:*:*:* python >= 3.9.0 < 3.9.5

Vulnerable and fixed packages

Source package Branch Version Maintainer Status