CVE-2021-29921

NameCVE-2021-29921
DescriptionIn Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh
Debian Bugs989195

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
python3.9 (PTS)bullseye, sid3.9.2-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
python3.9sourceexperimental3.9.5-1
python3.9source(unstable)(unfixed)989195

Notes

https://bugs.python.org/issue36384#msg392423
https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc (v3.10.0b1)
https://github.com/python/cpython/commit/5374fbc31446364bf5f12e5ab88c5493c35eaf04 (v3.9.5)
Introduced by: https://github.com/python/cpython/commit/e653d4d8e820a7a004ad399530af0135b45db27a (v3.8.0a4)

Search for package or bug name: Reporting problems