CVE-2021-4456
Last modified
CVE-2021-4456 is a medium-severity vulnerability rated 6.5/10 on the CVSS scale. Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. EPSS estimates a 0.32% chance of exploitation in the next 30 days.
Description
Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Mrsam | Net\ | < 0.24 | Cidr |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2021-4456?
How severe is CVE-2021-4456?
How do I fix CVE-2021-4456?
Are you affected by CVE-2021-4456?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST