CVE-2021-29662
Published: 31 March 2021
The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
Notes
| Author | Note |
|---|---|
| mdeslaur | the upstream patch only clarifies the documentation, there is actual behaviour change. Marking as negligible. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
libdata-validate-ip-perl Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Needed
|
|
| groovy |
Ignored
(end of life)
|
|
| hirsute |
Ignored
(end of life)
|
|
| impish |
Not vulnerable
(0.30-1)
|
|
| jammy |
Not vulnerable
(0.30-1)
|
|
| kinetic |
Not vulnerable
(0.30-1)
|
|
| lunar |
Not vulnerable
(0.30-1)
|
|
| mantic |
Not vulnerable
(0.30-1)
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(0.30-1)
|
|
| xenial |
Needs triage
|
|
|
Patches: upstream: https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.5 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | High |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |