Bugzilla – Bug 1184423
VUL-1: CVE-2021-29662: perl-Data-Validate-IP: bypass access control via zero characters at the beginning of an IP address string
Last modified: 2021-04-14 14:49:07 UTC
CVE-2021-29662 The Data::Validate::IP module through 0.29 for Perl does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses. Upstream fix: https://github.com/houseabsolute/Data-Validate-IP/commit/3bba13c819d616514a75e089badd75002fd4f14e This fix changes only the documentation of the is_*_ip() functions. References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-29662 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29662
The commit referenced (and from what I see all of that release) just adds documentation on what to do when using this module. So I see no fix in the perl code of the module itself.
The CVE is invalid IMO. The bug is not in the module, the API is just very easy to misuse so they added a clarification to their documentation. Releasing an update to documentation doesn't seem plausible to me. Reassigning to security team for reevaluation
Agreed. We keep this bug as a reference and that we will not change the documentation. CVEs like this are really annoying. Closing as wontfix.