CVE-2021-29424

HIGH

Net::Netmask <2.0000 - Info Disclosure

Title source: llm

Description

The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

References (6)

[Exploit, Third Party Advisory] https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

[Release Notes, Third Party Advisory] https://metacpan.org/changes/distribution/Net-Netmask#L11-22

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JF4CYIZELC3NISB3RMV4OCI4GYBC557B/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7JIPQAY5OZ5D3DA7INQILU7SGHTHMWB/

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20210604-0007/

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 24.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-704

Status published

Products (4)

fedoraproject/fedora 32

fedoraproject/fedora 33

fedoraproject/fedora 34

net\/\ < 2.0000

Published Apr 06, 2021

Tracked Since Feb 18, 2026