VDB
BIT-python-2021-29921
BIT-python-2021-29921
PUBLISHED
CVSS 9.800000190734863 CRITICAL
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
Risk Scores
CVSS 3.1
9.800000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bitnami | python | 3.8.0, 3.9.0, 3.8.0 |
Timeline
- Mar 6, 2024 CVE Published
- Nov 6, 2025 CVE Updated
References
- https://bugs.python.org/issue36384 url
- https://docs.python.org/3/library/ipaddress.html url
- https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst url
- https://github.com/python/cpython/pull/12577 url
- https://github.com/python/cpython/pull/25099 url
- https://github.com/sickcodes url
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md url
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html url
- https://security.gentoo.org/glsa/202305-02 url
- https://security.netapp.com/advisory/ntap-20210622-0003/ url
- https://sick.codes/sick-2021-014 url
- https://www.oracle.com//security-alerts/cpujul2021.html url
- https://www.oracle.com/security-alerts/cpuapr2022.html url
- https://www.oracle.com/security-alerts/cpujan2022.html url
- https://www.oracle.com/security-alerts/cpujul2022.html url
- https://www.oracle.com/security-alerts/cpuoct2021.html url
- https://nvd.nist.gov/vuln/detail/CVE-2021-29921 url
- https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html url