CVE-2021-29923

high

Description

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

References

https://www.oracle.com/security-alerts/cpujan2022.html

https://security.gentoo.org/glsa/202208-02

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/

https://golang.org/pkg/net/#ParseCIDR

https://go-review.googlesource.com/c/go/+/325829/

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md

https://github.com/golang/go/issues/43389

https://github.com/golang/go/issues/30999

https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis

Details

Source: Mitre, NVD

Published: 2021-08-07

Updated: 2023-11-07

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 7.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Severity: High