github - ghsa-38h6-vxp4-qxvm

ghsa-38h6-vxp4-qxvm

Vulnerability from github

Published

2022-05-24 19:10

Modified

2022-05-24 19:10

Severity

7.5 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2021-29923"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-07T17:15:00Z",
    "severity": "HIGH"
  },
  "details": "Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.",
  "id": "GHSA-38h6-vxp4-qxvm",
  "modified": "2022-05-24T19:10:21Z",
  "published": "2022-05-24T19:10:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-29923"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/go/issues/30999"
    },
    {
      "type": "WEB",
      "url": "https://github.com/golang/go/issues/43389"
    },
    {
      "type": "WEB",
      "url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"
    },
    {
      "type": "WEB",
      "url": "https://go-review.googlesource.com/c/go/+/325829"
    },
    {
      "type": "WEB",
      "url": "https://golang.org/pkg/net/#ParseCIDR"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-02"
    },
    {
      "type": "WEB",
      "url": "https://www.oracle.com/security-alerts/cpujan2022.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

cve-2021-29923

Vulnerability from cvelistv5

Published

2021-08-07 16:38

Modified

2024-08-03 22:18

Severity

Summary

References

URL	Tags
https://golang.org/pkg/net/#ParseCIDR	x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html	x_refsource_MISC
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis	x_refsource_MISC
https://github.com/golang/go/issues/43389	x_refsource_MISC
https://github.com/golang/go/issues/30999	x_refsource_MISC
https://go-review.googlesource.com/c/go/+/325829/	x_refsource_MISC
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md	x_refsource_MISC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/	vendor-advisory, x_refsource_FEDORA
https://security.gentoo.org/glsa/202208-02	vendor-advisory, x_refsource_GENTOO

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website