The ipaddress module accepts leading zeros in IPv4 addresses.
Python 3.8 as modified in bpo-36384 to accept leading zeros. The vulnerability was made public in a comment of the issue.
Python 3.8 is left unchanged (accept leading zeros). Python 3.7 and older are not affected.
Vulnerability discovered and reported the same day by two persons: George-Cristian Bîrzan and Felipe Rodrigues.
Dates:
Disclosure date: 2021-03-30 (comment on bpo-36384)
Reported at: 2021-03-30
Reported by: George-Cristian Bîrzan, Felipe Rodrigues (emails to the PSRT list)
Python 3.8.12 (2021-08-30) fixed by commit 03dd89d (branch 3.8) (2021-08-17)
Python 3.9.5 (2021-05-03) fixed by commit 5374fbc (branch 3.9) (2021-05-02)
Python 3.10.0 (2021-10-04) fixed by commit 60ce8f0 (branch 3.10) (2021-05-02)
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
CVE ID: CVE-2021-29921
Published: 2021-05-06
CVSS Score: 7.5
Timeline using the disclosure date 2021-03-30 as reference:
2021-03-30: Reported
2021-03-30: Disclosure date (comment on bpo-36384)
2021-05-02 (+33 days): commit 5374fbc (branch 3.9)
2021-05-02 (+33 days): commit 60ce8f0 (branch 3.10)
2021-05-03 (+34 days): Python 3.9.5 released
2021-05-06 (+37 days): CVE-2021-29921 published
2021-08-17 (+140 days): commit 03dd89d (branch 3.8)
2021-08-30 (+153 days): Python 3.8.12 released
2021-10-04: Python 3.10.0 released
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4