Unrated severityNVD Advisory· Published May 6, 2021· Updated Nov 3, 2025
CVE-2021-29921
CVE-2021-29921
Description
In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP address string. This (in some situations) allows attackers to bypass access control that is based on IP addresses.
Affected products
83- osv-coords83 versionspkg:bitnami/libpythonpkg:bitnami/pythonpkg:bitnami/python-minpkg:rpm/almalinux/python38-asn1cryptopkg:rpm/almalinux/python38-atomicwritespkg:rpm/almalinux/python38-attrspkg:rpm/almalinux/python38-babelpkg:rpm/almalinux/python38-cffipkg:rpm/almalinux/python38-chardetpkg:rpm/almalinux/python38-cryptographypkg:rpm/almalinux/python38-Cythonpkg:rpm/almalinux/python38-idnapkg:rpm/almalinux/python38-jinja2pkg:rpm/almalinux/python38-markupsafepkg:rpm/almalinux/python38-mod_wsgipkg:rpm/almalinux/python38-more-itertoolspkg:rpm/almalinux/python38-numpypkg:rpm/almalinux/python38-numpy-docpkg:rpm/almalinux/python38-numpy-f2pypkg:rpm/almalinux/python38-packagingpkg:rpm/almalinux/python38-pluggypkg:rpm/almalinux/python38-plypkg:rpm/almalinux/python38-psutilpkg:rpm/almalinux/python38-psycopg2pkg:rpm/almalinux/python38-psycopg2-docpkg:rpm/almalinux/python38-psycopg2-testspkg:rpm/almalinux/python38-pypkg:rpm/almalinux/python38-pycparserpkg:rpm/almalinux/python38-PyMySQLpkg:rpm/almalinux/python38-pyparsingpkg:rpm/almalinux/python38-pysockspkg:rpm/almalinux/python38-pytestpkg:rpm/almalinux/python38-pytzpkg:rpm/almalinux/python38-pyyamlpkg:rpm/almalinux/python38-requestspkg:rpm/almalinux/python38-scipypkg:rpm/almalinux/python38-setuptoolspkg:rpm/almalinux/python38-setuptools-wheelpkg:rpm/almalinux/python38-sixpkg:rpm/almalinux/python38-urllib3pkg:rpm/almalinux/python38-wcwidthpkg:rpm/almalinux/python38-wheelpkg:rpm/almalinux/python38-wheel-wheelpkg:rpm/almalinux/python39-attrspkg:rpm/almalinux/python39-cffipkg:rpm/almalinux/python39-chardetpkg:rpm/almalinux/python39-cryptographypkg:rpm/almalinux/python39-Cythonpkg:rpm/almalinux/python39-idnapkg:rpm/almalinux/python39-iniconfigpkg:rpm/almalinux/python39-mod_wsgipkg:rpm/almalinux/python39-more-itertoolspkg:rpm/almalinux/python39-numpypkg:rpm/almalinux/python39-numpy-docpkg:rpm/almalinux/python39-numpy-f2pypkg:rpm/almalinux/python39-packagingpkg:rpm/almalinux/python39-pluggypkg:rpm/almalinux/python39-plypkg:rpm/almalinux/python39-psutilpkg:rpm/almalinux/python39-psycopg2pkg:rpm/almalinux/python39-psycopg2-docpkg:rpm/almalinux/python39-psycopg2-testspkg:rpm/almalinux/python39-pypkg:rpm/almalinux/python39-pycparserpkg:rpm/almalinux/python39-PyMySQLpkg:rpm/almalinux/python39-pyparsingpkg:rpm/almalinux/python39-pysockspkg:rpm/almalinux/python39-pytestpkg:rpm/almalinux/python39-pyyamlpkg:rpm/almalinux/python39-requestspkg:rpm/almalinux/python39-scipypkg:rpm/almalinux/python39-setuptoolspkg:rpm/almalinux/python39-setuptools-wheelpkg:rpm/almalinux/python39-sixpkg:rpm/almalinux/python39-tomlpkg:rpm/almalinux/python39-urllib3pkg:rpm/almalinux/python39-wcwidthpkg:rpm/almalinux/python39-wheelpkg:rpm/almalinux/python39-wheel-wheelpkg:rpm/opensuse/python39&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python39-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3pkg:rpm/suse/python39-core&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3pkg:rpm/suse/python39&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP3
>= 3.8.0, < 3.8.12+ 82 more
- (no CPE)range: >= 3.8.0, < 3.8.12
- (no CPE)range: >= 3.8.0, < 3.8.12
- (no CPE)range: >= 3.8.0, < 3.8.12
- (no CPE)range: < 1.2.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.3.0-8.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 19.3.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.7.0-11.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.13.2-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 3.0.4-19.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.29.14-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.10.3-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.1.1-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 4.6.8-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 7.2.0-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.17.3-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.17.3-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.17.3-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 19.2-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.13.0-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 3.11-10.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 5.6.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.8.4-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.8.0-8.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.19-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.10.1-1.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.4.5-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.7.1-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 4.6.6-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2019.3-3.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 5.4.1-1.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 2.22.0-9.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.3.1-4.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 41.6.0-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 41.6.0-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.12.0-10.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 1.25.7-5.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.1.7-16.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.33.6-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 0.33.6-6.module_el8.6.0+2778+cd494b30
- (no CPE)range: < 20.3.0-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.14.3-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.0.4-19.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.3.1-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.29.21-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.10-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.1.1-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 4.7.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 8.5.0-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.19.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 20.4-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.13.1-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.11-10.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 5.8.0-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.8.6-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.8.6-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.8.6-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.10.0-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.20-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.10.1-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.4.7-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.7.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 6.0.2-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 5.4.1-1.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 2.25.0-2.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.5.4-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 50.3.2-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 50.3.2-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.15.0-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.10.1-5.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1.25.10-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 0.2.5-3.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1:0.35.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 1:0.35.1-4.module_el8.6.0+2780+a40f65e1
- (no CPE)range: < 3.9.7-2.1
- (no CPE)range: < 3.9.6-4.3.3
- (no CPE)range: < 3.9.6-4.3.3
- (no CPE)range: < 3.9.6-4.3.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
15- security.gentoo.org/glsa/202305-02mitrevendor-advisory
- bugs.python.org/issue36384mitre
- docs.python.org/3/library/ipaddress.htmlmitre
- github.com/python/cpython/blob/63298930fb531ba2bb4f23bc3b915dbf1e17e9e1/Misc/NEWS.d/3.8.0a4.rstmitre
- github.com/python/cpython/pull/12577mitre
- github.com/python/cpython/pull/25099mitre
- github.com/sickcodes/security/blob/master/advisories/SICK-2021-014.mdmitre
- python-security.readthedocs.io/vuln/ipaddress-ipv4-leading-zeros.htmlmitre
- security.netapp.com/advisory/ntap-20210622-0003/mitre
- sick.codes/sick-2021-014mitre
- www.oracle.com//security-alerts/cpujul2021.htmlmitre
- www.oracle.com/security-alerts/cpuapr2022.htmlmitre
- www.oracle.com/security-alerts/cpujan2022.htmlmitre
- www.oracle.com/security-alerts/cpujul2022.htmlmitre
- www.oracle.com/security-alerts/cpuoct2021.htmlmitre
News mentions
0No linked articles in our index yet.