Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
References
Link | Resource |
---|---|
https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis | Third Party Advisory |
https://github.com/golang/go/issues/30999 | Exploit Issue Tracking Third Party Advisory |
https://github.com/golang/go/issues/43389 | Issue Tracking Third Party Advisory |
https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md | Exploit Third Party Advisory |
https://go-review.googlesource.com/c/go/+/325829/ | Patch Third Party Advisory |
https://golang.org/pkg/net/#ParseCIDR | Vendor Advisory |
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/ | |
https://security.gentoo.org/glsa/202208-02 | Third Party Advisory |
https://www.oracle.com/security-alerts/cpujan2022.html | Patch Third Party Advisory |
Configurations
History
07 Nov 2023, 03:32
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
14 Sep 2022, 21:11
Type | Values Removed | Values Added |
---|---|---|
References | (GENTOO) https://security.gentoo.org/glsa/202208-02 - Third Party Advisory |
04 Aug 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
22 Apr 2022, 16:20
Type | Values Removed | Values Added |
---|---|---|
References | (FEDORA) https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/ - Mailing List, Third Party Advisory | |
CPE | cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:* | |
First Time |
Fedoraproject fedora
Fedoraproject |
26 Mar 2022, 19:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
01 Mar 2022, 19:16
Type | Values Removed | Values Added |
---|---|---|
CPE | cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:* | |
References | (MISC) https://www.oracle.com/security-alerts/cpujan2022.html - Patch, Third Party Advisory | |
First Time |
Oracle
Oracle timesten In-memory Database |
07 Feb 2022, 16:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
17 Aug 2021, 14:05
Type | Values Removed | Values Added |
---|---|---|
CVSS |
v2 : v3 : |
v2 : 5.0
v3 : 7.5 |
References | (MISC) https://github.com/golang/go/issues/30999 - Exploit, Issue Tracking, Third Party Advisory | |
References | (MISC) https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis - Third Party Advisory | |
References | (MISC) https://golang.org/pkg/net/#ParseCIDR - Vendor Advisory | |
References | (MISC) https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md - Exploit, Third Party Advisory | |
References | (MISC) https://github.com/golang/go/issues/43389 - Issue Tracking, Third Party Advisory | |
References | (MISC) https://go-review.googlesource.com/c/go/+/325829/ - Patch, Third Party Advisory | |
CWE | NVD-CWE-noinfo | |
CPE | cpe:2.3:a:golang:go:*:*:*:*:*:*:*:* |
07 Aug 2021, 17:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2021-08-07 17:15
Updated : 2023-12-10 13:55
NVD link : CVE-2021-29923
Mitre link : CVE-2021-29923
CVE.ORG link : CVE-2021-29923
JSON object : View
Products Affected
oracle
- timesten_in-memory_database
golang
- go
fedoraproject
- fedora
CWE