Vulnerability CVE-2021-29921


Published: 2021-05-06

Description:
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses.

Type:

CWE-20

(Improper Input Validation)

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial
Affected software
Python -> Python 

 References:
https://github.com/python/cpython/pull/25099
https://sick.codes/sick-2021-014
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
https://github.com/sickcodes
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
https://github.com/python/cpython/pull/12577
https://docs.python.org/3/library/ipaddress.html
https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
https://bugs.python.org/issue36384

Copyright 2024, cxsecurity.com

 

Back to Top