CVE-2021-29923
HIGHGo <1.17 - IP Address Access Control Bypass via Octal Parsing
Title source: manualDescription
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
References (9)
Core 9
Core References
Vendor Advisory x_refsource_misc
https://golang.org/pkg/net/#ParseCIDR
Patch, Third Party Advisory x_refsource_misc
https://www.oracle.com/security-alerts/cpujan2022.html
Third Party Advisory x_refsource_misc
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/golang/go/issues/43389
Exploit, Issue Tracking, Third Party Advisory x_refsource_misc
https://github.com/golang/go/issues/30999
Patch, Third Party Advisory x_refsource_misc
https://go-review.googlesource.com/c/go/+/325829/
Exploit, Third Party Advisory x_refsource_misc
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202208-02
Scores
CVSS v3
7.5
EPSS
0.0025
EPSS Percentile
48.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Details
Status
published
Products (3)
fedoraproject/fedora
36
golang/go
< 1.17
oracle/timesten_in-memory_database
< 21.1.1.1.0
Published
Aug 07, 2021
Tracked Since
Feb 18, 2026