Bugzilla – Bug 1221564
VUL-0: CVE-2021-47154: perl-Net-CIDR-Lite: leading zeroes in IPv4 octets may allow attackers to bypass certain access controls
Last modified: 2024-04-19 09:14:01 UTC
The Net::CIDR::Lite module before 0.22 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-47154 https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/ https://www.cve.org/CVERecord?id=CVE-2021-47154 https://github.com/stigtsp/Net-CIDR-Lite/commit/23b6ff0590dc279521863a502e890ef19a5a76fc https://metacpan.org/dist/Net-CIDR-Lite/changes https://metacpan.org/pod/Net::CIDR::Lite
Affects SUSE:SLE-15-SP1:Update. Already fixed in openSUSE:Factory.
Reproducer in [0]: perl -MNet::CIDR::Lite -E 'my $c = Net::CIDR::Lite->new; $c->add("010.0.0.0/8"); > * Before: > 10.0.0.0-10.255.255.255 > * After: > Can't determine ip format at /usr/lib/perl5/vendor_perl/5.26.1/Net/CIDR/Lite.pm line 38. > Net::CIDR::Lite::add(Net::CIDR::Lite=HASH(0x5613637c7220), "010.0.0.0/8") called at -e line 1 [0] https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
Submitted here: https://build.suse.de/request/show/324220
SUSE-SU-2024:1256-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1221564 CVE References: CVE-2021-47154 Maintenance Incident: [SUSE:Maintenance:32990](https://smelt.suse.de/incident/32990/) Sources used: openSUSE Leap 15.5 (src): perl-Net-CIDR-Lite-0.21-150100.6.3.1 Development Tools Module 15-SP5 (src): perl-Net-CIDR-Lite-0.21-150100.6.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.