{"id":"CVE-2021-29921","details":"In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.","aliases":["BIT-libpython-2021-29921","BIT-python-2021-29921","BIT-python-min-2021-29921","PSF-2021-2"],"modified":"2026-04-10T04:33:05.881697Z","published":"2021-05-06T13:15:12.573Z","related":["ALSA-2021:4160","ALSA-2021:4162","MGASA-2021-0386","SUSE-FU-2022:0444-1","SUSE-FU-2022:0445-1","SUSE-SU-2021:2940-1","openSUSE-SU-2024:11286-1"],"references":[{"type":"WEB","url":"https://www.oracle.com/security-alerts/cpujul2022.html"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/12/msg00000.html"},{"type":"ADVISORY","url":"https://github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rst"},{"type":"ADVISORY","url":"https://github.com/sickcodes"},{"type":"ADVISORY","url":"https://python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.html"},{"type":"ADVISORY","url":"https://docs.python.org/3/library/ipaddress.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20210622-0003/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202305-02"},{"type":"FIX","url":"https://bugs.python.org/issue36384"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuapr2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"type":"FIX","url":"https://www.oracle.com/security-alerts/cpuoct2021.html"},{"type":"FIX","url":"https://github.com/python/cpython/pull/12577"},{"type":"FIX","url":"https://github.com/python/cpython/pull/25099"},{"type":"FIX","url":"https://www.oracle.com//security-alerts/cpujul2021.html"},{"type":"EVIDENCE","url":"https://sick.codes/sick-2021-014"},{"type":"EVIDENCE","url":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.md"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/graalvm/graalvm-ce-builds","events":[{"introduced":"0"},{"last_affected":"cf616f9f924f9e60b6158ff4aaed8306382b4c31"},{"introduced":"0"},{"last_affected":"a748f59635430848730ca95f41a9f7fa1f26b12b"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"20.3.2"},{"introduced":"0"},{"last_affected":"21.1.0"}]}},{"type":"GIT","repo":"https://github.com/python/cpython","events":[{"introduced":"fa919fdf2583bdfead1df00e842f24f30b2a34bf"},{"fixed":"07119dd38c9a6e5da84ca8a0a46acdf8a3e60ecf"},{"introduced":"9cf6752276e6fcfd0c23fdb064ad27f448aaaf75"},{"fixed":"0a7dcbdb13f1f2ab6e76e1cff47e80fb263f5da0"}],"database_specific":{"versions":[{"introduced":"3.8.0"},{"fixed":"3.8.12"},{"introduced":"3.9.0"},{"fixed":"3.9.5"}]}}],"versions":["vm-19.3.2","vm-19.3.2-pre","vm-19.3.3","vm-19.3.4","vm-19.3.5","vm-19.3.6","vm-20.0.1","vm-20.1.0","vm-20.2.0","vm-20.3.0","vm-20.3.1","vm-20.3.1.2","vm-20.3.2","vm-21.0.0","vm-21.0.0.2","vm-21.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-29921.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"1.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.11.0"}]},{"events":[{"introduced":"0"},{"last_affected":"1.8.0"}]},{"events":[{"introduced":"0"},{"last_affected":"8.8"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}