Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
References
Link | Resource |
---|---|
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis | Third Party Advisory |
https://github.com/golang/go/issues/30999 | Exploit Issue Tracking Third Party Advisory |
https://github.com/golang/go/issues/43389 | Issue Tracking Third Party Advisory |
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md | Exploit Third Party Advisory |
https://go-review.googlesource.com/c/go/+/325829/ | Patch Third Party Advisory |
https://golang.org/pkg/net/#ParseCIDR | Vendor Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/ | |
https://security.gentoo.org/glsa/202208-02 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2022.html | Patch Third Party Advisory |
History
No history.
MITRE Information
Status: PUBLISHED
Assigner: mitre
Published: 2021-08-07T16:38:59
Updated: 2022-08-04T15:09:33
Reserved: 2021-04-01T00:00:00
Link: CVE-2021-29923
JSON object: View
NVD Information
Status : Modified
Published: 2021-08-07T17:15:07.067
Modified: 2023-11-07T03:32:45.383
Link: CVE-2021-29923
JSON object: View
Redhat Information
No data.
CWE