Improper input validation of octal strings in Python 3.8.0 thru v3.10 stdlib ipaddress allows unauthenticated remote attackers to perform indeterminate SSRF, RFI, and LFI attacks on many programs that rely on Python stdlib ipaddress. IP address octects are left stripped instead of evaluated as valid IP addresses. For example, an attacker submitting an IP address to a web application that relies on stdlib ipaddress, could cause SSRF via inputting octal input data; An attacker can submit exploitable IP addresses if the octet is 3 digits, with the minimum exploitable octect being 08 (Denial of Service) and the maximum exploitable octet is 099. For example, an attacker can submit 010.8.8.8, which is 8.8.8.8, yet Python ipaddress builtin will evaluate this as 10.8.8.8. References: https://bugs.python.org/issue36384#msg392423
> an attacker can submit 010.8.8.8, which is 8.8.8.8 No, it is not. This is decimal-dot notation. According to [RFC 3986], "010.8.8.8" is confusing and causes security concerns. According to [Python documentation], "010.8.8.8" is 10.8.8.8. It is incorrect to to say "010.8.8.8" is 8.8.8.8. [RFC 3986]: https://tools.ietf.org/html/rfc3986#section-7.4 [Python documentation]: https://docs.python.org/3/library/ipaddress.html#ipaddress.IPv4Address
Patch: https://github.com/python/cpython/commit/60ce8f0be6354ad565393ab449d8de5d713f35bc
python 3.7 and older are not affected. our python-pips include an older version of ipaddress.py, which is not affected
(In reply to Stefan Cornelius from comment #4) > python 3.7 and newer are not affected. our python-pips include an older > version of ipaddress.py, which is not affected I suppose the wording should have been here about Python 3.7 and older?
We are using RHEL7 python3 package, but this package is not listed in the CVE page (CVE-2021-29921), so are we affected by this vulnerability? At present, we are using python3.6.8
In reply to comment #4: > python 3.7 and newer are not affected. our python-pips include an older > version of ipaddress.py, which is not affected Do you mean python 3.7 and older?
Sorry for the confusion: Python 3.7 and *older* are not affected. I've edited my comment above to reflect this.
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:3254 https://access.redhat.com/errata/RHSA-2021:3254
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4160 https://access.redhat.com/errata/RHSA-2021:4160
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4162 https://access.redhat.com/errata/RHSA-2021:4162
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-29921