2270058 – (CVE-2021-47154) CVE-2021-47154 Perl-Net-CIDR-Lite: improper handling of extraneous zero characters in an IP address string

Bug 2270058 (CVE-2021-47154) - CVE-2021-47154 Perl-Net-CIDR-Lite: improper handling of extraneous zero characters in an IP address string

Summary: CVE-2021-47154 Perl-Net-CIDR-Lite: improper handling of extraneous zero chara...

Keywords:
Status:	NEW
Alias:	CVE-2021-47154
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2270059 2270060
Blocks:	2270061
TreeView+	depends on / blocked

Reported:	2024-03-18 11:18 UTC by TEJ RATHI
Modified:	2024-03-19 11:19 UTC (History)
CC List:	1 user (show)
Fixed In Version:	perl-Net-CIDR-Lite 0.22
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in the Perl module Net::CIDR::Lite, where extraneous zero characters at the start of an IP address string are not adequately handled. This flaw may enable attackers to circumvent IP address-based access controls in certain scenarios.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description TEJ RATHI 2024-03-18 11:18:05 UTC

The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
https://github.com/stigtsp/Net-CIDR-Lite/commit/23b6ff0590dc279521863a502e890ef19a5a76fc
https://metacpan.org/dist/Net-CIDR-Lite/changes
https://metacpan.org/pod/Net::CIDR::Lite

Comment 1 TEJ RATHI 2024-03-18 11:22:22 UTC

Created perl-Net-CIDR-Lite tracking bugs for this issue:

Affects: epel-all [bug 2270059]
Affects: fedora-all [bug 2270060]

Comment 3 Martin Osvald 🛹 2024-03-19 06:43:04 UTC

This must be some kind of bug in tooling or something. Every reported distro is fixed already/having 0.22 version for a long time.

This should be closed.

Comment 4 TEJ RATHI 2024-03-19 11:19:37 UTC

In reply to comment #3:
> This must be some kind of bug in tooling or something. Every reported distro
> is fixed already/having 0.22 version for a long time.
> 
> This should be closed.

Hey, this is not a tooling issue anyways. Those are just security notification trackers.

Note You need to log in before you can comment on or make changes to this bug.