CVE-2021-29424
Published: 6 April 2021
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
Notes
Author | Note |
---|---|
seth-arnold | blog.urth.org reports many perl modules affected; I don't know if this CVE number applies to something else entirely, all of them, or just one of these packages. |
Priority
Status
Package | Release | Status |
---|---|---|
libnet-netmask-perl Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Not vulnerable
(1.9104-2)
|
|
jammy |
Not vulnerable
(2.0001-1)
|
|
kinetic |
Not vulnerable
(2.0001-1)
|
|
lunar |
Not vulnerable
(2.0001-1)
|
|
mantic |
Not vulnerable
(2.0001-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(1.9104-2)
|
|
xenial |
Needed
|
|
Patches: upstream: https://github.com/jmaslak/Net-Netmask/commit/9023b403682f1eaadadf6cb71ba0117a1fa4f163 upstream: https://github.com/jmaslak/Net-Netmask/commit/6b60b4eb3e98ee7548c13ecb7cb02c626f948a40 upstream: https://github.com/jmaslak/Net-Netmask/commit/30d82695e32bc3b1615c7cd08d34528252363436 |
||
libnetwork-ipv4addr-perl Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Ignored
(end of life)
|
|
jammy |
Needed
|
|
kinetic |
Ignored
(end of life, was needed)
|
|
lunar |
Ignored
(end of life, was needed)
|
|
mantic |
Needed
|
|
trusty |
Does not exist
|
|
upstream |
Needed
|
|
xenial |
Needed
|
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |