Security News > 2021 > August > Go, Rust "net" library affected by critical IP address validation vulnerability
The commonly used "Net" library in Go and Rust languages is also impacted by the mixed-format IP address validation vulnerability.
The vulnerability, tracked by CVE-2021-29922 and CVE-2021-29923 concerns how net handles mixed-format IP addresses, or more specifically when a decimal IPv4 address contains a leading zero.
Say you are given an IP address in decimal format, 127.0.0.1, which is widely understood as the local loopback address or localhost.
Of particular note is the fact, 127.0.0.1 is not a public IP address but a loopback address its ambiguous representation changes it to a public IP address leading to a different host altogether.
The net module in both Go and Rust, for example, considers all octets of an IPv4 address as decimal, as shown in the researchers' reports [1, 2]. Consequently, if a developer was using net to validate if an IP address belongs to a certain range (e.g. parsing a list of IPs against an access control list (ACL , the result may come out wrong for octal-based representations of IPv4 addresses.
This mixed-format IP address validation bug had previously impacted Python's ipaddress library, netmask implementations, and similar libraries.
News URL
Related news
- Apache fixes critical OFBiz remote code execution vulnerability (source)
- Apache OFBiz team patches critical RCE vulnerability (CVE-2024-45195) (source)
- GitLab warns of critical pipeline execution vulnerability (source)
- SolarWinds Issues Patch for Critical ARM Vulnerability Enabling RCE Attacks (source)
- Critical Ivanti Cloud Appliance Vulnerability Exploited in Active Cyberattacks (source)
- CISA Flags Critical Ivanti vTM Vulnerability Amid Active Exploitation Concerns (source)
- PoC for critical SolarWinds Web Help Desk vulnerability released (CVE-2024-28987) (source)
- Critical NVIDIA Container Toolkit Vulnerability Could Grant Full Host Access to Attackers (source)
- Critical Zimbra RCE vulnerability under mass exploitation (CVE-2024-45519) (source)
- Apple Releases Critical iOS and iPadOS Updates to Fix VoiceOver Password Vulnerability (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2021-08-07 | CVE-2021-29923 | Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. | 7.5 |
| 2021-08-07 | CVE-2021-29922 | Unspecified vulnerability in Rust-Lang Rust library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. | 9.1 |