CVE-2021-29921
Published: 6 May 2021
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
Notes
| Author | Note |
|---|---|
| mdeslaur | introduced in v3.8.0a4 This issue was re-introduced in python3.8 in focal because of the SRU in LP: #1928057 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
python2.7 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Not vulnerable
(code not present)
|
|
| hirsute |
Not vulnerable
(code not present)
|
|
| impish |
Not vulnerable
(code not present)
|
|
| jammy |
Not vulnerable
(code not present)
|
|
| kinetic |
Not vulnerable
(code not present)
|
|
| lunar |
Does not exist
|
|
| trusty |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
python3.10 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Released
(3.10.0~b1-3~21.04)
|
|
| impish |
Not vulnerable
(3.10.0~b1-2)
|
|
| jammy |
Not vulnerable
(3.10.0~b1-2)
|
|
| kinetic |
Not vulnerable
(3.10.0~b1-2)
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1) |
||
|
python3.4 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.5 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Not vulnerable
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
|
|
|
python3.6 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(3.6.9-1~18.04ubuntu1.4)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.7 Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(3.7.5-2~18.04.4)
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.8 Launchpad, Ubuntu, Debian |
bionic |
Needed
|
| focal |
Released
(3.8.10-0ubuntu1~20.04.1)
|
|
| groovy |
Released
(3.8.6-1ubuntu0.3)
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
python3.9 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| focal |
Released
(3.9.5-3~20.04.1)
|
|
| groovy |
Released
(3.9.5-3~20.10.1)
|
|
| hirsute |
Released
(3.9.5-3~21.04)
|
|
| impish |
Released
(3.9.5-2ubuntu1)
|
|
| jammy |
Does not exist
|
|
| kinetic |
Does not exist
|
|
| lunar |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5) |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 9.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29921
- https://github.com/python/cpython/pull/25099
- https://sick.codes/sick-2021-014
- https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html
- https://github.com/sickcodes
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md
- https://github.com/python/cpython/pull/12577
- https://docs.python.org/3/library/ipaddress.html
- https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst
- https://ubuntu.com/security/notices/USN-4973-1
- https://ubuntu.com/security/notices/USN-4973-2
- NVD
- Launchpad
- Debian