CVE-2021-29923 - OpenCVE

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:N/C:N/I:P/A:N

Vendors & Products
CPE Configurations

Vendors	Products
Golang	Go
Oracle	Timesten In-memory Database
Fedoraproject	Fedora

Configuration 1 [-]

cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*

Configuration 2 [-]

cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*

Configuration 3 [-]

cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*

References

Link	Resource
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis	Third Party Advisory
https://github.com/golang/go/issues/30999	Exploit Issue Tracking Third Party Advisory
https://github.com/golang/go/issues/43389	Issue Tracking Third Party Advisory
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md	Exploit Third Party Advisory
https://go-review.googlesource.com/c/go/+/325829/	Patch Third Party Advisory
https://golang.org/pkg/net/#ParseCIDR	Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/
https://security.gentoo.org/glsa/202208-02	Third Party Advisory
https://www.oracle.com/security-alerts/cpujan2022.html	Patch Third Party Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: mitre

Published: 2021-08-07T16:38:59

Updated: 2022-08-04T15:09:33

Reserved: 2021-04-01T00:00:00

Link: CVE-2021-29923

JSON object: View

NVD Information

Status : Modified

Published: 2021-08-07T17:15:07.067

Modified: 2023-11-07T03:32:45.383

Link: CVE-2021-29923

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2022-08-04T15:09:33", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://golang.org/pkg/net/#ParseCIDR"}, {"tags": ["x_refsource_MISC"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"tags": ["x_refsource_MISC"], "url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/golang/go/issues/43389"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/golang/go/issues/30999"}, {"tags": ["x_refsource_MISC"], "url": "https://go-review.googlesource.com/c/go/+/325829/"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"}, {"name": "FEDORA-2022-17d004ed71", "tags": ["vendor-advisory", "x_refsource_FEDORA"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"}, {"name": "GLSA-202208-02", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-02"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2021-29923", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://golang.org/pkg/net/#ParseCIDR", "refsource": "MISC", "url": "https://golang.org/pkg/net/#ParseCIDR"}, {"name": "https://www.oracle.com/security-alerts/cpujan2022.html", "refsource": "MISC", "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"name": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis", "refsource": "MISC", "url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"}, {"name": "https://github.com/golang/go/issues/43389", "refsource": "MISC", "url": "https://github.com/golang/go/issues/43389"}, {"name": "https://github.com/golang/go/issues/30999", "refsource": "MISC", "url": "https://github.com/golang/go/issues/30999"}, {"name": "https://go-review.googlesource.com/c/go/+/325829/", "refsource": "MISC", "url": "https://go-review.googlesource.com/c/go/+/325829/"}, {"name": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md", "refsource": "MISC", "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"}, {"name": "FEDORA-2022-17d004ed71", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"}, {"name": "GLSA-202208-02", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-02"}]}}}}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2021-29923", "datePublished": "2021-08-07T16:38:59", "dateReserved": "2021-04-01T00:00:00", "dateUpdated": "2022-08-04T15:09:33", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*", "matchCriteriaId": "D39D5C21-8281-429F-AC33-CE39821CA3EC", "versionEndExcluding": "1.17", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*", "matchCriteriaId": "20290BBC-E3C9-4B96-94FE-2DFADD4BF1F1", "versionEndExcluding": "21.1.1.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*", "matchCriteriaId": "5C675112-476C-4D7C-BCB9-A2FB2D0BC9FD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."}, {"lang": "es", "value": "Go versiones anteriores a 1.17, no considera apropiadamente los caracteres cero extra\u00f1os al principio de un octeto de direcci\u00f3n IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretaci\u00f3n octal inesperada. Esto afecta a net.ParseIP y net.ParseCIDR"}], "id": "CVE-2021-29923", "lastModified": "2023-11-07T03:32:45.383", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-07T17:15:07.067", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/30999"}, {"source": "cve@mitre.org", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/golang/go/issues/43389"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://go-review.googlesource.com/c/go/+/325829/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://golang.org/pkg/net/#ParseCIDR"}, {"source": "cve@mitre.org", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-02"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}