CVE-2021-29923

CWE-20 — Improper Input Validation8 documents8 sources

Severity

7.5HIGH

EPSS

0.3%

top 51.31%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Golang GO Oracle Timesten In-memory Database Fedoraproject Fedora

Timeline

PublishedAug 7

Latest updateMay 24

Description

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDgolang/go< 1.17

▶NVDoracle/timesten_in-memory_database< 21.1.1.1.0

Also affects: Fedora 36

Patches

Patch: go-review.googlesource.com ↗Patch: www.oracle.com ↗Patch: go-review.googlesource.com ↗

🔴Vulnerability Details

GHSA

GHSA-38h6-vxp4-qxvm: Go before 1↗2022-05-24

▶

OSV

CVE-2021-29923: Go before 1↗2021-08-07

▶

CVEList

CVE-2021-29923: Go before 1↗2021-08-07

▶

📋Vendor Advisories

Oracle

Oracle Oracle TimesTen In-Memory Database Risk Matrix: EM TimesTen plug-in (Go) — CVE-2021-29923↗2022-01-15

▶

Microsoft

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet which (in some situations) allows attackers to bypass access control that is based on IP ad↗2021-08-10

▶

Red Hat

golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet↗2021-03-22

▶

Debian

CVE-2021-29923: golang-1.15 - Go before 1.17 does not properly consider extraneous zero characters at the begi...↗2021

▶