CVE-2021-29921
medium
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
5.5
Description
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
Source: Red Hat Errata โ Red Hat Inc. ยท View original โ ยท Open-Errata-API
Description python-ipaddress: Improper input validation of octal strings CVSS v3: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) Errata / fixed releases ProductPackageAdvisoryReleased Red Hat Enterprise Linux 8python39:3.9-8050020210811100211.d428a79bRHSA-2021:41602021-11-09T00:00:00Z Red Hat Enterprise Linux 8python39-devel:3.9-8050020210811100211.d428a79bRHSA-2021:41602021-11-09T00:00:00Zโฆ
Description
python-ipaddress: Improper input validation of octal strings
CVSS v3: 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
Errata / fixed releases
| Product | Package | Advisory | Released |
|---|---|---|---|
| Red Hat Enterprise Linux 8 | python39:3.9-8050020210811100211.d428a79b | RHSA-2021:4160 | 2021-11-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | python39-devel:3.9-8050020210811100211.d428a79b | RHSA-2021:4160 | 2021-11-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | python38:3.8-8050020210811101222.e3d35cca | RHSA-2021:4162 | 2021-11-09T00:00:00Z |
| Red Hat Enterprise Linux 8 | python38-devel:3.8-8050020210811101222.e3d35cca | RHSA-2021:4162 | 2021-11-09T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-babel-0:2.7.0-12.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-0:3.8.11-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-cryptography-0:2.8-5.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-jinja2-0:2.10.3-6.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-lxml-0:4.4.1-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-pip-0:19.3.1-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-python38-python-urllib3-0:1.25.7-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-babel-0:2.7.0-12.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-0:3.8.11-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-cryptography-0:2.8-5.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-jinja2-0:2.10.3-6.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-lxml-0:4.4.1-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-pip-0:19.3.1-2.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
| Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS | rh-python38-python-urllib3-0:1.25.7-7.el7 | RHSA-2021:3254 | 2021-08-24T00:00:00Z |
Package state
| Product | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 7 | python-ipaddress | Not affected |
| Red Hat Enterprise Linux 7 | python-pip | Not affected |
| Red Hat Enterprise Linux 8 | python27:2.7/python-ipaddress | Not affected |
| Red Hat Enterprise Linux 8 | python36:3.6/python36 | Not affected |
| Red Hat Software Collections | python27-python-pip | Not affected |
| Red Hat Software Collections | rh-python36-python | Not affected |
Apply commands
Apply RHSA-2021:4160 for Red Hat Enterprise Linux 8
yum update -y python39:3
# or:
dnf upgrade -y python39:3Affected
| Vendor | Product | Version |
|---|---|---|
| redhat | Red Hat Enterprise Linux 7 | Not affected |
| redhat | Red Hat Enterprise Linux 7 | Not affected |
| redhat | Red Hat Enterprise Linux 8 | Not affected |
| redhat | Red Hat Enterprise Linux 8 | Not affected |
| redhat | Red Hat Software Collections | Not affected |
| redhat | Red Hat Software Collections | Not affected |
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Arch Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Fixed | 3.9.5-1 |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 7.3.8+dfsg-1 |
| sid | Fixed | 7.3.8+dfsg-1 |
| forky | Fixed | 7.3.8+dfsg-1 |
| bullseye | Fixed | 0 |
| bookworm | Fixed | 7.3.8+dfsg-1 |
Red Hat Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
Rocky Linux Fixed 1 release
| Version | Status | Fixed in |
|---|---|---|
| 8 | Fixed | โ |
References
- https://www.suse.com/security/cve/CVE-2021-29921.html
- https://errata.rockylinux.org/RLSA-2021:4162
- https://errata.rockylinux.org/RLSA-2021:4160
- https://security-tracker.debian.org/tracker/CVE-2021-29921
- https://errata.almalinux.org/8/ALSA-2021-4160.html
- https://errata.almalinux.org/8/ALSA-2021-4162.html
- https://access.redhat.com/errata/RHSA-2021:4160
- https://access.redhat.com/errata/RHSA-2021:4162
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.