CVE-2021-29921

CRITICAL

Python < 3.9.5 - IP Address Validation Bypass via Leading Zero Octets

Title source: llm
STIX 2.1

Description

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

References (17)

Core 17
Core References
Issue Tracking, Patch, Vendor Advisory
https://bugs.python.org/issue36384
Patch, Third Party Advisory
https://github.com/python/cpython/pull/12577
Patch, Third Party Advisory
https://github.com/python/cpython/pull/25099
Third Party Advisory
https://github.com/sickcodes
Exploit, Third Party Advisory
https://sick.codes/sick-2021-014
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202305-02

Scores

CVSS v3 9.8
EPSS 0.0205
EPSS Percentile 84.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

Status published
Products (7)
oracle/communications_cloud_native_core_automated_test_suite 1.8.0
oracle/communications_cloud_native_core_binding_support_function 1.11.0
oracle/communications_cloud_native_core_network_slice_selection_function 1.8.0
oracle/graalvm 20.3.2
oracle/graalvm 21.1.0
oracle/zfs_storage_appliance_kit 8.8
python/python 3.8.0 - 3.8.12
Published May 06, 2021
Tracked Since Feb 18, 2026