{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2021-29921", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-03T21:44:43.122Z", "dateReserved": "2021-04-01T00:00:00.000Z", "datePublished": "2021-05-06T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-05-03T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://github.com/sickcodes"}, {"url": "https://docs.python.org/3/library/ipaddress.html"}, {"url": "https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst"}, {"url": "https://sick.codes/sick-2021-014"}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md"}, {"url": "https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html"}, {"url": "https://bugs.python.org/issue36384"}, {"url": "https://github.com/python/cpython/pull/12577"}, {"url": "https://github.com/python/cpython/pull/25099"}, {"url": "https://security.netapp.com/advisory/ntap-20210622-0003/"}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"name": "GLSA-202305-02", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202305-02"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://github.com/sickcodes", "tags": ["x_transferred"]}, {"url": "https://docs.python.org/3/library/ipaddress.html", "tags": ["x_transferred"]}, {"url": "https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst", "tags": ["x_transferred"]}, {"url": "https://sick.codes/sick-2021-014", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com//security-alerts/cpujul2021.html", "tags": ["x_transferred"]}, {"url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md", "tags": ["x_transferred"]}, {"url": "https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html", "tags": ["x_transferred"]}, {"url": "https://bugs.python.org/issue36384", "tags": ["x_transferred"]}, {"url": "https://github.com/python/cpython/pull/12577", "tags": ["x_transferred"]}, {"url": "https://github.com/python/cpython/pull/25099", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20210622-0003/", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuoct2021.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujan2022.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpuapr2022.html", "tags": ["x_transferred"]}, {"url": "https://www.oracle.com/security-alerts/cpujul2022.html", "tags": ["x_transferred"]}, {"name": "GLSA-202305-02", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202305-02"}, {"url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:44:43.122Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "AECFC6AC-5ECE-45F8-97F2-6D8D33C49F80", "versionEndExcluding": "3.8.12", "versionStartIncluding": "3.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:python:python:*:*:*:*:*:*:*:*", "matchCriteriaId": "91FD0AF9-B011-4238-8CF1-BDEA0399AF82", "versionEndExcluding": "3.9.5", "versionStartIncluding": "3.9.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "98FB24DB-AF91-48D0-9CA5-C8250D183FD5", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_binding_support_function:1.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "10323322-F6C0-4EA7-9344-736F7A80AA5F", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:communications_cloud_native_core_network_slice_selection_function:1.8.0:*:*:*:*:*:*:*", "matchCriteriaId": "3AA09838-BF13-46AC-BB97-A69F48B73A8A", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:20.3.2:*:*:*:enterprise:*:*:*", "matchCriteriaId": "C21EB1C3-3251-4B99-9D5F-E4E089E2EC62", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:graalvm:21.1.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "CA0CBB5F-6CA5-4DFC-97A3-05643F8885DB", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:zfs_storage_appliance_kit:8.8:*:*:*:*:*:*:*", "matchCriteriaId": "D3E503FB-6279-4D4A-91D8-E237ECF9D2B0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses."}, {"lang": "es", "value": "En Python antes de la versiones 3,9,5, la biblioteca ipaddress maneja mal los caracteres cero iniciales en los octetos de una cadena de direcciones IP. Esto (en algunas situaciones) permite a los atacantes eludir el control de acceso que se basa en las direcciones IP"}], "id": "CVE-2021-29921", "lastModified": "2025-11-03T22:15:48.057", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2021-05-06T13:15:12.573", "references": [{"source": "[email protected]", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue36384"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://docs.python.org/3/library/ipaddress.html"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/pull/12577"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/pull/25099"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://github.com/sickcodes"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md"}, {"source": "[email protected]", "tags": ["Vendor Advisory"], "url": "https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html"}, {"source": "[email protected]", "url": "https://security.gentoo.org/glsa/202305-02"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210622-0003/"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sick.codes/sick-2021-014"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "[email protected]", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "[email protected]", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Vendor Advisory"], "url": "https://bugs.python.org/issue36384"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://docs.python.org/3/library/ipaddress.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/pull/12577"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/python/cpython/pull/25099"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/sickcodes"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202305-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20210622-0003/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://sick.codes/sick-2021-014"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com//security-alerts/cpujul2021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuapr2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpujan2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.oracle.com/security-alerts/cpujul2022.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Third Party Advisory"], "url": "https://www.oracle.com/security-alerts/cpuoct2021.html"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "[email protected]", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:4160", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39:3.9-8050020210811100211.d428a79b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4160", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python39-devel:3.9-8050020210811100211.d428a79b", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:4162", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "python38-devel:3.8-8050020210811101222.e3d35cca", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-11-09T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-babel-0:2.7.0-12.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-0:3.8.11-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-cryptography-0:2.8-5.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-jinja2-0:2.10.3-6.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-lxml-0:4.4.1-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-pip-0:19.3.1-2.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}, {"advisory": "RHSA-2021:3254", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-python38-python-urllib3-0:1.25.7-7.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-08-24T00:00:00Z"}], "bugzilla": {"description": "python-ipaddress: Improper input validation of octal strings", "id": "1957458", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1957458"}, "csaw": false, "cvss3": {"cvss3_base_score": "9.1", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "status": "verified"}, "cwe": "CWE-20", "details": ["In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.", "A flaw was found in python-ipaddress. Improper input validation of octal strings in stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. The highest threat from this vulnerability is to data integrity and system availability."], "name": "CVE-2021-29921", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-ipaddress", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "python-pip", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python27:2.7/python-ipaddress", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "python36:3.6/python36", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "python27-python-pip", "product_name": "Red Hat Software Collections"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Not affected", "package_name": "rh-python36-python", "product_name": "Red Hat Software Collections"}], "public_date": "2021-04-30T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-29921\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-29921\nhttps://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html"], "threat_severity": "Moderate"}