CVE-2021-29921 — CRITICAL (9.8)

Q: How severe is CVE-2021-29921?

CVE-2021-29921 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2021-29921?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Graalvm.

Vulnerability Description

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Python	Python	>= 3.8.0, < 3.8.12
Oracle	Communications Cloud Native Core Automated Test Suite	1.8.0
Oracle	Communications Cloud Native Core Binding Support Function	1.11.0
Oracle	Communications Cloud Native Core Network Slice Selection Function	1.8.0
Oracle	Graalvm	20.3.2
Oracle	Zfs Storage Appliance Kit	8.8

References

https://bugs.python.org/issue36384Issue TrackingPatchVendor Advisory
https://docs.python.org/3/library/ipaddress.htmlVendor Advisory
https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Third Party Advisory
https://github.com/python/cpython/pull/12577PatchThird Party Advisory
https://github.com/python/cpython/pull/25099PatchThird Party Advisory
https://github.com/sickcodesThird Party Advisory
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.mdExploitThird Party Advisory
https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.htmlVendor Advisory
https://security.gentoo.org/glsa/202305-02
https://security.netapp.com/advisory/ntap-20210622-0003/Third Party Advisory
https://sick.codes/sick-2021-014ExploitThird Party Advisory
https://www.oracle.com//security-alerts/cpujul2021.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpuapr2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.htmlPatchThird Party Advisory
https://www.oracle.com/security-alerts/cpujul2022.html

FAQ

What is CVE-2021-29921?

CVE-2021-29921 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is base...

How severe is CVE-2021-29921?

CVE-2021-29921 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2021-29921?

Check the references section above for vendor advisories and patch information. Affected products include: Python Python, Oracle Communications Cloud Native Core Automated Test Suite, Oracle Communications Cloud Native Core Binding Support Function, Oracle Communications Cloud Native Core Network Slice Selection Function, Oracle Graalvm.