Bugzilla – Bug 1184423
VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero characters at the beginning of an IP address string
Last modified: 2021-04-14 14:49:07 UTC
The Data::Validate::IP module through 0.29 for Perl does not properly consider
extraneous zero characters at the beginning of an IP address string, which (in
some situations) allows attackers to bypass access control that is based on IP
This fix changes only the documentation of the is_*_ip() functions.
The commit referenced (and from what I see all of that release) just adds documentation on what to do when using this module. So I see no fix in the perl code of the module itself.
The CVE is invalid IMO. The bug is not in the module, the API is just very easy to misuse so they added a clarification to their documentation. Releasing an update to documentation doesn't seem plausible to me.
Reassigning to security team for reevaluation
Agreed. We keep this bug as a reference and that we will not change the documentation. CVEs like this are really annoying.
Closing as wontfix.