Lucene search

K
ubuntucveUbuntu.comUB:CVE-2021-29921
HistoryMay 06, 2021 - 12:00 a.m.

CVE-2021-29921

2021-05-0600:00:00
ubuntu.com
ubuntu.com
36
python
ipaddress library
access control
leading zero
octets
security vulnerability

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

81.7%

In Python before 3,9,5, the ipaddress library mishandles leading zero
characters in the octets of an IP address string. This (in some situations)
allows attackers to bypass access control that is based on IP addresses.

Bugs

Notes

Author Note
mdeslaur introduced in v3.8.0a4 This issue was re-introduced in python3.8 in focal because of the SRU in LP: #1928057
OSVersionArchitecturePackageVersionFilename
ubuntu21.04noarchpython3.10< 3.10.0~b1-3~21.04UNKNOWN
ubuntu18.04noarchpython3.8< 3.8.0-3ubuntu1~18.04.2+esm2UNKNOWN
ubuntu20.04noarchpython3.8< 3.8.10-0ubuntu1~20.04.1UNKNOWN
ubuntu20.10noarchpython3.8< 3.8.6-1ubuntu0.3UNKNOWN
ubuntu20.04noarchpython3.9< 3.9.5-3~20.04.1UNKNOWN
ubuntu20.10noarchpython3.9< 3.9.5-3~20.10.1UNKNOWN
ubuntu21.04noarchpython3.9< 3.9.5-3~21.04UNKNOWN
ubuntu21.10noarchpython3.9< 3.9.5-2ubuntu1UNKNOWN

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.008

Percentile

81.7%