{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-29922", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-03T22:18:03.280Z", "dateReserved": "2021-04-01T00:00:00", "datePublished": "2021-08-07T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2022-10-16T00:00:00"}, "descriptions": [{"lang": "en", "value": "library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html"}, {"url": "https://github.com/rust-lang/rust/pull/83652"}, {"url": "https://github.com/rust-lang/rust/issues/83648"}, {"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md"}, {"url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"}, {"name": "GLSA-202210-09", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202210-09"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T22:18:03.280Z"}, "title": "CVE Program Container", "references": [{"url": "https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html", "tags": ["x_transferred"]}, {"url": "https://github.com/rust-lang/rust/pull/83652", "tags": ["x_transferred"]}, {"url": "https://github.com/rust-lang/rust/issues/83648", "tags": ["x_transferred"]}, {"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md", "tags": ["x_transferred"]}, {"url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis", "tags": ["x_transferred"]}, {"name": "GLSA-202210-09", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202210-09"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*", "matchCriteriaId": "741A7D4B-BB43-4836-9065-A34AE6262038", "versionEndExcluding": "1.53.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation."}, {"lang": "es", "value": "El archivo library/std/src/net/parser.rs en Rust versiones anteriores a 1.53.0, no considera apropiadamente los caracteres cero extra\u00f1os al principio de una cadena de direcciones IP, lo que (en algunas situaciones) permite a atacantes omitir el control de acceso que es basado en las direcciones IP, debido a una interpretaci\u00f3n octal inesperada"}], "id": "CVE-2021-29922", "lastModified": "2022-11-07T16:36:47.573", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.4, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-08-07T17:15:06.907", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://github.com/rust-lang/rust/issues/83648"}, {"source": "cve@mitre.org", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/rust-lang/rust/pull/83652"}, {"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202210-09"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4270", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "rust-toolset:rhel8-8050020210817185544.f73640c0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}], "bugzilla": {"description": "rust: incorrect parsing of extraneous zero characters at the beginning of an IP address string", "id": "1991962", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1991962"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "status": "verified"}, "cwe": "CWE-20", "details": ["library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.", "A flaw was found in rust. Extraneous zero characters at the beginning of an IP address string are not properly considered which can allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2021-29922", "package_state": [{"cpe": "cpe:/a:redhat:devtools:", "fix_state": "Affected", "package_name": "rust-toolset-1.52-rust", "product_name": "Red Hat Developer Tools"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "rust", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2021-03-29T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-29922\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-29922"], "threat_severity": "Moderate", "upstream_fix": "rust 1.53.0"}