ipaddress leading zeros in IPv4 address¶
The ipaddress module accepts leading zeros in IPv4 addresses.
Python 3.8 is left unchanged (accept leading zeros). Python 3.7 and older are not affected.
Vulnerability discovered and reported the same day by two persons: George-Cristian Bîrzan and Felipe Rodrigues.
- Disclosure date: 2021-03-30 (comment on bpo-36384)
- Reported at: 2021-03-30
- Reported by: George-Cristian Bîrzan, Felipe Rodrigues (emails to the PSRT list)
Improper input validation of octal strings in Python stdlib ipaddress 3.10 and below allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses.
- CVE ID: CVE-2021-29921
- Published: 2021-05-06
Timeline using the disclosure date 2021-03-30 as reference:
- 2021-03-30 (+0 days): Reported
- 2021-03-30: Disclosure date (comment on bpo-36384)
- 2021-05-02 (+33 days): commit 5374fbc (branch 3.9)
- 2021-05-02 (+33 days): commit 60ce8f0 (branch 3.10)
- 2021-05-03 (+34 days): Python 3.9.5 released
- 2021-05-06 (+37 days): CVE-2021-29921 published
- 2021-08-17 (+140 days): commit 03dd89d (branch 3.8)
- 2021-08-31 (+154 days): Python 3.8.12 released
- 2021-10-04: Python 3.10.0 released