Description
The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
References (6)
Core 6
Core References
Exploit, Third Party Advisory x_refsource_misc
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
Patch, Third Party Advisory x_refsource_misc
https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e
Exploit, Third Party Advisory x_refsource_misc
https://sick.codes/sick-2021-018/
Product, Third Party Advisory x_refsource_misc
https://github.com/houseabsolute/Data-Validate-IP
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-018.md
Third Party Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20210604-0002/
Scores
CVSS v3
7.5
EPSS
0.0219
EPSS Percentile
80.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
CWE
CWE-704
Status
published
Products (2)
data\/\
< 0.29
netapp/snapcenter
Published
Mar 31, 2021
Tracked Since
Feb 18, 2026