ipaddress leading zeros in IPv4 address

Warning

This resource is maintained for historical reference and does not contain the latest vulnerability info for Python.

The canonical database for vulnerabilities affecting Python is available on GitHub in the Open Source Vulnerability (OSV) format. This vulnerability can be viewed online at the Open Source Vulnerability Database.

The ipaddress module accepts leading zeros in IPv4 addresses.

Python 3.8 as modified in bpo-36384 to accept leading zeros. The vulnerability was made public in a comment of the issue.

Python 3.8 is left unchanged (accept leading zeros). Python 3.7 and older are not affected.

Vulnerability discovered and reported the same day by two persons: George-Cristian Bîrzan and Felipe Rodrigues.

Dates:

  • Disclosure date: 2021-03-30 (comment on bpo-36384)
  • Reported at: 2021-03-30
  • Reported by: George-Cristian Bîrzan, Felipe Rodrigues (emails to the PSRT list)

Fixed In

CVE-2021-29921

In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.

Timeline

Timeline using the disclosure date 2021-03-30 as reference: