CVE-2021-29921 : In Python before 3,9,5, the ipaddress library mishandles leading zero characters

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

Published 2021-05-06 13:15:13

Updated 2023-05-03 11:15:10

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2021-29921

Oracle » Graalvm » Version: 20.3.2 Enterprise Edition
cpe:2.3:a:oracle:graalvm:20.3.2:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Graalvm » Version: 21.1.0 Enterprise Edition
cpe:2.3:a:oracle:graalvm:21.1.0:*:*:*:enterprise:*:*:*
Matching versions
Oracle » Zfs Storage Appliance Kit » Version: 8.8
cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Network Slice Selection Function » Version: 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Binding Support Function » Version: 1.11.0
cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*
Matching versions
Oracle » Communications Cloud Native Core Automated Test Suite » Version: 1.8.0
cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.9.0 and before (<) 3.9.5
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions
Python » Python
Versions from including (>=) 3.8.0 and before (<) 3.8.12
cpe:2.3:a:python:python:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2021-29921

Top countries where our scanners detected CVE-2021-29921

Top open port discovered on systems with this issue 80

IPs affected by CVE-2021-29921 182,586

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2021-29921!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2021-29921

EPSS FAQ

1.82%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2021-29921

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
7.5	HIGH	AV:N/AC:L/Au:N/C:P/I:P/A:P	10.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

References for CVE-2021-29921

https://github.com/python/cpython/pull/12577

bpo-36384: Remove check for leading zeroes in IPv4 addresses by TV4Fun · Pull Request #12577 · python/cpython · GitHub
Patch;Third Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.html

Oracle Critical Patch Update Advisory - April 2022
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com//security-alerts/cpujul2021.html

Oracle Critical Patch Update Advisory - July 2021
Patch;Third Party Advisory

CVEs referencing this url
https://www.oracle.com/security-alerts/cpujan2022.html

Oracle Critical Patch Update Advisory - January 2022
Patch;Third Party Advisory

CVEs referencing this url
https://github.com/sickcodes

sickcodes · GitHub
Third Party Advisory

CVEs referencing this url
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md

security/SICK-2021-014.md at master · sickcodes/security · GitHub
Exploit;Third Party Advisory
https://bugs.python.org/issue36384

Issue 36384: [security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal - Python tracker
Issue Tracking;Patch;Vendor Advisory
https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst

cpython/3.8.0a4.rst at 63298930fb531ba2bb4f23bc3b915dbf1e17e9e1 · python/cpython · GitHub
Third Party Advisory
https://github.com/python/cpython/pull/25099

bpo-36384: Leading zeros in IPv4 addresses are no longer tolerated by tiran · Pull Request #25099 · python/cpython · GitHub
Patch;Third Party Advisory
https://sick.codes/sick-2021-014

CVE-2021-29921 - python stdlib "ipaddress" - Improper Input Validation of octal literals in python 3.8.0 thru v3.10 results in indeterminate SSRF & RFI vulnerabilities. - "ipaddress leading zeros in I
Exploit;Third Party Advisory
https://docs.python.org/3/library/ipaddress.html

ipaddress — IPv4/IPv6 manipulation library — Python 3.9.5 documentation
Vendor Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Oracle Critical Patch Update Advisory - October 2021
Patch;Third Party Advisory

CVEs referencing this url
https://security.gentoo.org/glsa/202305-02

Python, PyPy3: Multiple Vulnerabilities (GLSA 202305-02) — Gentoo security

CVEs referencing this url
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html

ipaddress leading zeros in IPv4 address — Python Security 0.0 documentation
Vendor Advisory
https://security.netapp.com/advisory/ntap-20210622-0003/

CVE-2021-29921 Python Vulnerability in NetApp Products | NetApp Product Security
Third Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

Oracle Critical Patch Update Advisory - July 2022

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2021-29921

Products affected by CVE-2021-29921

Threat overview for CVE-2021-29921

Exploit prediction scoring system (EPSS) score for CVE-2021-29921

CVSS scores for CVE-2021-29921

References for CVE-2021-29921