CVE-2021-29921 — Improper Input Validation in Python

CWE-20 — Improper Input Validation12 documents8 sources

Severity

9.8CRITICALNVD

EPSS

2.0%

top 16.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Python Oracle Communications Cloud Native Core Automated Test Suite Oracle Communications Cloud Native Core Binding Support Function +3 more

Timeline

PublishedMay 6

Latest updateJul 11

Description

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages6 packages

▶NVDpython/python3.8.0 — 3.8.12+1

▶NVDoracle/graalvm20.3.2, 21.1.0+1

▶NVDoracle/zfs_storage_appliance_kit8.8

▶NVDoracle/communications_cloud_native_core_automated_test_suite1.8.0

▶NVDoracle/communications_cloud_native_core_binding_support_function1.11.0

Patches

Patch: bugs.python.org ↗Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-cxqv-r2cc-r9c9: Improper input validation of octal strings in Python stdlib ipaddress 3↗2022-05-24

▶

CVEList

CVE-2021-29921: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string↗2021-05-06

▶

OSV

CVE-2021-29921: In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string↗2021-05-06

▶

📋Vendor Advisories

Ubuntu

Python vulnerabilities↗2024-07-11

▶

Oracle

Oracle Oracle Communications Risk Matrix: BSF (Python) — CVE-2021-29921↗2022-04-15

▶

Oracle

Oracle Oracle Communications Risk Matrix: ATS Framework (Python) — CVE-2021-29921↗2022-01-15

▶

Ubuntu

Python vulnerability↗2021-10-04

▶

Oracle

Oracle Oracle Java SE Risk Matrix: Python interpreter and runtime (CPython) — CVE-2021-29921↗2021-07-15

▶