VDB
CVE-2021-29923
CVE-2021-29923
PUBLISHED
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
EPSS 0.25% · 48.8th percentile
Risk Scores
EPSS Score
0.25%
48.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cloudflare | access | |
| Bitnami | golang | 0 |
| Bitnami | golang | 0 |
Timeline
- CVE Published
- Aug 8, 2021 EPSS Score
- Oct 6, 2021 EPSS Score
- Jan 6, 2022 EPSS Score
- Jan 31, 2022 EPSS Score
- Feb 4, 2022 EPSS Score
- Feb 8, 2022 EPSS Score
- Mar 31, 2022 EPSS Score
- Apr 1, 2022 EPSS Score
- May 29, 2022 EPSS Score
- Jul 27, 2022 EPSS Score
- Nov 22, 2022 EPSS Score
References
- https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis url
- https://github.com/golang/go/issues/30999 url
- https://github.com/golang/go/issues/43389 url
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md url
- https://go-review.googlesource.com/c/go/+/325829/ url
- https://golang.org/pkg/net/#ParseCIDR url
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/ url
- https://security.gentoo.org/glsa/202208-02 url
- https://www.oracle.com/security-alerts/cpujan2022.html url
- https://nvd.nist.gov/vuln/detail/CVE-2021-29923 url