Vulnerability Details : CVE-2021-29922
Potential exploit
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.
Products affected by CVE-2021-29922
- cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-29922
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 38 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-29922
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
6.4
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:P/A:P |
10.0
|
4.9
|
NIST | |
|
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
NIST |
References for CVE-2021-29922
-
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
DEF CON® 29 Hacking Conference - SpeakersThird Party Advisory
-
https://security.gentoo.org/glsa/202210-09
Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo securityThird Party Advisory
-
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md
security/SICK-2021-015.md at master · sickcodes/security · GitHubExploit;Third Party Advisory
-
https://github.com/rust-lang/rust/issues/83648
Ipv4Addr: Incorrect Parsing for Octal format IP string · Issue #83648 · rust-lang/rust · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://github.com/rust-lang/rust/pull/83652
Disallow octal format in Ipv4 string by xu-cheng · Pull Request #83652 · rust-lang/rust · GitHubPatch;Third Party Advisory
-
https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html
Ipv4Addr in std::net - RustVendor Advisory
Jump to