VDB
CVE-2021-29922
CVE-2021-29922
PUBLISHED
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.
EPSS 0.34% · 57.2th percentile
Risk Scores
EPSS Score
0.34%
57.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ubuntu:22.04:LTS | rustc | 1.51.0+dfsg1+llvm-1~exp3ubuntu1, 0 |
| Ubuntu:16.04:LTS | rustc | 1.47.0+dfsg1+llvm-1ubuntu1~16.04.1, *, * |
| Ubuntu:14.04:LTS | rustc | 1.30.0+dfsg1+llvm-2ubuntu1~14.04.1, *, 1.17.0+dfsg2-8~ubuntu0.14.04.3 |
| Ubuntu:20.04:LTS | rustc | 1.38.0+dfsg0.2+llvm-0ubuntu2, 1.39.0+dfsg1+llvm-3ubuntu1, 1.40.0+dfsg1+llvm-5ubuntu1 |
Exploit Intelligence
Timeline
- Jan 31, 2020 CVE Published
- Aug 8, 2021 EPSS Score
- Oct 6, 2021 EPSS Score
- Dec 4, 2021 EPSS Score
- Jan 31, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Mar 31, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 29, 2022 EPSS Score
- Sep 25, 2022 EPSS Score
- Nov 22, 2022 EPSS Score
- Jan 20, 2023 EPSS Score
References
- https://ubuntu.com/security/CVE-2021-29922 third-party-advisory
- https://github.com/rust-lang/rust/issues/83648 third-party-advisory
- https://github.com/rust-lang/rust/pull/83652 third-party-advisory
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md third-party-advisory
- https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html third-party-advisory
- https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis third-party-advisory
- https://www.cve.org/CVERecord?id=CVE-2021-29922 third-party-advisory