CVE-2021-29921
CRITICAL9.8EPSS 2.0%發布日:2021/5/6修改日:2025/12/3
也稱為:ALPINE-CVE-2021-29921
描述
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
受影響套件(6)
- Alpine/python3from 0, < 3.9.5-r0
- Bitnami/libpython>= 3.8.0, < 3.8.12, >= 3.9.0, < 3.9.5
- Bitnami/python>= 3.8.0, < 3.8.12, >= 3.9.0, < 3.9.5
- Bitnami/python-min>= 3.8.0, < 3.8.12, >= 3.9.0, < 3.9.5
- Debian/pypy3from 0, < 7.3.8+dfsg-1
- Debian/python3.9from 0, < 3.9.2-1+deb11u2
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
參考連結(20)
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2021-29921
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2021-29921
- WEBhttps://bugs.python.org/issue36384
- WEBhttps://docs.python.org/3/library/ipaddress.html
- WEBhttps://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
- WEBhttps://github.com/python/cpython/pull/12577
- WEBhttps://github.com/python/cpython/pull/25099
- WEBhttps://github.com/sickcodes
- WEBhttps://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
- WEBhttps://lists.debian.org/debian-lts-announce/2024/12/msg00000.html
- WEBhttps://nvd.nist.gov/vuln/detail/CVE-2021-29921
- WEBhttps://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
- WEBhttps://security.gentoo.org/glsa/202305-02
- WEBhttps://security.netapp.com/advisory/ntap-20210622-0003/
- WEBhttps://sick.codes/sick-2021-014
- WEBhttps://www.oracle.com/security-alerts/cpuapr2022.html
- WEBhttps://www.oracle.com/security-alerts/cpujan2022.html
- WEBhttps://www.oracle.com//security-alerts/cpujul2021.html
- WEBhttps://www.oracle.com/security-alerts/cpujul2022.html
- WEBhttps://www.oracle.com/security-alerts/cpuoct2021.html