CVE-2021-29662
Published: 31 March 2021
The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
Notes
Author | Note |
---|---|
mdeslaur | the upstream patch only clarifies the documentation, there is actual behaviour change. Marking as negligible. |
Priority
Status
Package | Release | Status |
---|---|---|
libdata-validate-ip-perl Launchpad, Ubuntu, Debian |
bionic |
Needed
|
focal |
Needed
|
|
groovy |
Ignored
(end of life)
|
|
hirsute |
Ignored
(end of life)
|
|
impish |
Not vulnerable
(0.30-1)
|
|
jammy |
Not vulnerable
(0.30-1)
|
|
kinetic |
Not vulnerable
(0.30-1)
|
|
lunar |
Not vulnerable
(0.30-1)
|
|
mantic |
Not vulnerable
(0.30-1)
|
|
trusty |
Does not exist
|
|
upstream |
Released
(0.30-1)
|
|
xenial |
Needs triage
|
|
Patches: upstream: https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | None |
Integrity impact | High |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |