CVE-2021-29922
First published: Sat Aug 07 2021(Updated: )
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Rust-lang Rust | <1.53.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
- https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html
- https://github.com/rust-lang/rust/issues/83648
- https://github.com/rust-lang/rust/pull/83652
- https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md
- https://security.gentoo.org/glsa/202210-09
Frequently Asked Questions
What is CVE-2021-29922?
CVE-2021-29922 is a vulnerability in Rust that allows attackers to bypass access control based on IP addresses.
What is the severity of CVE-2021-29922?
CVE-2021-29922 has a severity rating of 9.1 (critical).
How does CVE-2021-29922 work?
CVE-2021-29922 occurs due to Rust not properly considering extraneous zero characters at the beginning of an IP address string, leading to unexpected octal interpretation and potential bypass of IP-based access control.
Which software is affected by CVE-2021-29922?
Rust versions before 1.53.0 are affected by CVE-2021-29922.
How can I fix CVE-2021-29922?
To fix CVE-2021-29922, update Rust to version 1.53.0 or later.
- collector/nvd-index
- agent/author
- agent/references
- agent/severity
- agent/type
- agent/description
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/remedy
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/rust-lang
- canonical/rust-lang rust