CVE-2021-29424: Incorrect Type Cast
First published: Mon Mar 29 2021(Updated: )
The Net::Netmask module before 2.0000 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| net\ \ | <2.0000 | |
| Fedora | =32 | |
| Fedora | =33 | |
| Fedora | =34 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JF4CYIZELC3NISB3RMV4OCI4GYBC557B/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y7JIPQAY5OZ5D3DA7INQILU7SGHTHMWB/
- https://metacpan.org/changes/distribution/Net-Netmask#L11-22
- https://security.netapp.com/advisory/ntap-20210604-0007/
- https://www.bleepingcomputer.com/news/security/critical-netmask-networking-bug-impacts-thousands-of-applications/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/CBJVLXJSWN6DKSF5ADUEERI6M23R3GGP/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JF4CYIZELC3NISB3RMV4OCI4GYBC557B/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y7JIPQAY5OZ5D3DA7INQILU7SGHTHMWB/
Frequently Asked Questions
What is the severity of CVE-2021-29424?
CVE-2021-29424 is classified as a medium severity vulnerability.
How do I fix CVE-2021-29424?
To remediate CVE-2021-29424, update the Net::Netmask module to version 2.0000 or later.
What versions of Net::Netmask are affected by CVE-2021-29424?
CVE-2021-29424 affects all versions of the Net::Netmask module before 2.0000.
What type of attack is possible with CVE-2021-29424?
CVE-2021-29424 allows attackers to bypass IP address-based access controls due to improper handling of extraneous zero characters.
Which platforms are impacted by CVE-2021-29424?
CVE-2021-29424 impacts systems using the affected versions of the Net::Netmask module on Fedora versions 32, 33, and 34.
- agent/type
- agent/softwarecombine
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2021-28918
- alias/CVE-2021-29418
- alias/CVE-2021-29424
- agent/weakness
- agent/severity
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/references
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-api
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/author
- vendor/net\
- canonical/net\ \
- vendor/fedoraproject
- canonical/fedora
- version/fedora/32
- version/fedora/33
- version/fedora/34