IP Address Control Bypass in Go Programming Language by Google
CVE-2021-29923

7.5HIGH

Key Information:

Vendor

Golang

Status
Go
Vendor
CVE Published:
7 August 2021

What is CVE-2021-29923?

A vulnerability in the Go programming language versions prior to 1.17 allows attackers to exploit incorrect handling of octal interpretations of IP address octets. Specifically, the net.ParseIP and net.ParseCIDR functions misinterpret extraneous leading zeroes, which can lead to unauthorized access by bypassing intended IP address controls. This flaw poses a risk by undermining network security mechanisms that rely on accurate IP validation.

References

https://golang.org/pkg/net/#ParseCIDR
x_refsource_MISC
https://www.oracle.com/security-alerts/cpujan2022.html
x_refsource_MISC
https://defcon.org/html/defcon-29/dc-29-speakers.html#kao...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.