ipaddress leading zeros in IPv4 address

The ipaddress module accepts leading zeros in IPv4 addresses.

  • Disclosure date: 2019-03-20 (Python issue bpo-36384 reported)

Vulnerable Versions

  • Python 3.6 (need commit)
  • Python 3.7 (need commit)
  • Python 3.8 (need commit)
  • Python 3.9 (need commit)

Python issue

[security] CVE-2021-29921: ipaddress Should not reject IPv4 addresses with leading zeroes as ambiguously octal.

  • Python issue: bpo-36384
  • Creation date: 2019-03-20
  • Reporter: Joel Croteau

CVE-2021-29921

Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses.

Timeline

Timeline using the disclosure date 2019-03-20 as reference:

  • 2019-03-20: Python issue bpo-36384 reported by Joel Croteau
  • 2021-05-06 (+778 days): CVE-2021-29921 published