Bug 1957458 (CVE-2021-29921)
| Summary: | CVE-2021-29921 python-ipaddress: Improper input validation of octal strings | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | cstratak, hhorak, jorton, kaycoth, kyoshida, prasanna_marathe, pviktori, python-maint, scorneli, torsava |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | python 3.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in python-ipaddress. Improper input validation of octal strings in stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. The highest threat from this vulnerability is to data integrity and system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-10 00:21:59 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1970504, 1970505, 1970506, 1974304 | ||
| Bug Blocks: | 1957459 | ||
|
Description
Pedro Sampaio
2021-05-05 19:35:27 UTC
> an attacker can submit 010.8.8.8, which is 8.8.8.8 No, it is not. This is decimal-dot notation. According to [RFC 3986], "010.8.8.8" is confusing and causes security concerns. According to [Python documentation], "010.8.8.8" is 10.8.8.8. It is incorrect to to say "010.8.8.8" is 8.8.8.8. [RFC 3986]: https://tools.ietf.org/html/rfc3986#section-7.4 [Python documentation]: https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address python 3.7 and older are not affected. our python-pips include an older version of ipaddress.py, which is not affected (In reply to Stefan Cornelius from comment #4) > python 3.7 and newer are not affected. our python-pips include an older > version of ipaddress.py, which is not affected I suppose the wording should have been here about Python 3.7 and older? We are using RHEL7 python3 package, but this package is not listed in the CVE page (CVE-2021-29921), so are we affected by this vulnerability? At present, we are using python3.6.8 In reply to comment #4: > python 3.7 and newer are not affected. our python-pips include an older > version of ipaddress.py, which is not affected Do you mean python 3.7 and older? Sorry for the confusion: Python 3.7 and *older* are not affected. I've edited my comment above to reflect this. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29921 |