CVE-2021-29662

Published: Mar 31, 2021Modified: Nov 21, 2024

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Exploitability: 3.9 / Impact: 3.6

Source: NVD

Description

The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.

Affected (2)

Products: Data\: \ · Netapp: Snapcenter

Data\

1 product

Netapp

1 product

Snapcenter

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Data\ \	Up to 0.29

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Netapp Snapcenter	All versions

Related CWEs

CWE-704

Incorrect Type Conversion or Cast

The product does not correctly convert an object, resource, or structure from one type to a different type.

References (12)

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/houseabsolute/Data-Validate-IP

Source: cve@mitre.org

ProductThird Party Advisory

https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e

Source: cve@mitre.org

PatchThird Party Advisory

https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-018.md

Source: cve@mitre.org

ExploitThird Party Advisory

https://security.netapp.com/advisory/ntap-20210604-0002/

Source: cve@mitre.org

Third Party Advisory

https://sick.codes/sick-2021-018/

Source: cve@mitre.org

ExploitThird Party Advisory

https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/