CVE-2021-29923 : Go before 1.17 does not properly consider extraneous zero characters at the begi

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

Published 2021-08-07 17:15:07

Updated 2022-09-14 21:11:30

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2021-29923

Oracle » Timesten In-memory Database
Versions before (<) 21.1.1.1.0
cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*
Matching versions
Fedoraproject » Fedora » Version: 36
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
Matching versions
Golang » GO
Versions before (<) 1.17
cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2021-29923

EPSS FAQ

0.08%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 20 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-29923

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
5.0	MEDIUM	AV:N/AC:L/Au:N/C:N/I:P/A:N	10.0	2.9	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None
7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N	3.9	3.6	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: None Integrity: High Availability: None

References for CVE-2021-29923

https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis

DEF CON® 29 Hacking Conference - Speakers
Third Party Advisory

CVEs referencing this url
https://github.com/golang/go/issues/30999

net: reject leading zeros in IP address parsers [freeze exception] · Issue #30999 · golang/go · GitHub
Exploit;Issue Tracking;Third Party Advisory
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md

security/SICK-2021-016.md at master · sickcodes/security · GitHub
Exploit;Third Party Advisory
https://github.com/golang/go/issues/43389

net: limit the size of ParseIP input? · Issue #43389 · golang/go · GitHub
Issue Tracking;Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/

[SECURITY] Fedora 36 Update: golang-1.18~rc1-2.fc36 - package-announce - Fedora Mailing-Lists
Mailing List;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202208-02

Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security
Third Party Advisory

CVEs referencing this url
https://go-review.googlesource.com/c/go/+/325829/

Patch;Third Party Advisory
https://golang.org/pkg/net/#ParseCIDR

net · pkg.go.dev
Vendor Advisory

Jump to

Vulnerability Details : CVE-2021-29923

Products affected by CVE-2021-29923

Exploit prediction scoring system (EPSS) score for CVE-2021-29923

CVSS scores for CVE-2021-29923

References for CVE-2021-29923