CVE-2021-29922

critical

Description

library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.

References

https://security.gentoo.org/glsa/202210-09

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md

https://github.com/rust-lang/rust/pull/83652

https://github.com/rust-lang/rust/issues/83648

https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html

https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis

Details

Source: Mitre, NVD

Published: 2021-08-07

Updated: 2022-11-07

Risk Information

CVSS v2

Base Score: 6.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P

Severity: Medium

CVSS v3

Base Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Severity: Critical