{"api_version":"1","generated_at":"2026-04-22T21:03:55+00:00","cve":"CVE-2021-29922","urls":{"html":"https://cve.report/CVE-2021-29922","api":"https://cve.report/api/cve/CVE-2021-29922.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-29922","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-29922"},"summary":{"title":"CVE-2021-29922","description":"library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-08-07 17:15:00","updated_at":"2022-11-07 16:36:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://security.gentoo.org/glsa/202210-09","name":"GLSA-202210-09","refsource":"GENTOO","tags":[],"title":"Rust: Multiple Vulnerabilities (GLSA 202210-09) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md","name":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md","refsource":"MISC","tags":[],"title":"security/SICK-2021-015.md at master · sickcodes/security · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/rust-lang/rust/issues/83648","name":"https://github.com/rust-lang/rust/issues/83648","refsource":"MISC","tags":[],"title":"Ipv4Addr: Incorrect Parsing for Octal format IP string  · Issue #83648 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis","name":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"https://github.com/rust-lang/rust/pull/83652","name":"https://github.com/rust-lang/rust/pull/83652","refsource":"MISC","tags":[],"title":"Disallow octal format in Ipv4 string by xu-cheng · Pull Request #83652 · rust-lang/rust · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html","name":"https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html","refsource":"MISC","tags":[],"title":"std::net::Ipv4Addr - Rust","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-29922","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29922","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"29922","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"rust-lang","cpe5":"rust","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-29922","qid":"159481","title":"Oracle Enterprise Linux Security Update for rust-toolset:ol8 (ELSA-2021-4270)"},{"cve":"CVE-2021-29922","qid":"183683","title":"Debian Security Update for rustc (CVE-2021-29922)"},{"cve":"CVE-2021-29922","qid":"239784","title":"Red Hat Update for rust-toolset:rhel8 security (RHSA-2021:4270)"},{"cve":"CVE-2021-29922","qid":"296065","title":"Oracle Solaris 11.4 Support Repository Update (SRU) 39.107.1 Missing (CPUOCT2021)"},{"cve":"CVE-2021-29922","qid":"501922","title":"Alpine Linux Security Update for rust"},{"cve":"CVE-2021-29922","qid":"505392","title":"Alpine Linux Security Update for rust"},{"cve":"CVE-2021-29922","qid":"710640","title":"Gentoo Linux Rust Multiple Vulnerabilities (GLSA 202210-09)"},{"cve":"CVE-2021-29922","qid":"900297","title":"CBL-Mariner Linux Security Update for rust 1.47.0"},{"cve":"CVE-2021-29922","qid":"940385","title":"AlmaLinux Security Update for rust-toolset:rhel8 (ALSA-2021:4270)"},{"cve":"CVE-2021-29922","qid":"960734","title":"Rocky Linux Security Update for rust-toolset:rhel8 (RLSA-2021:4270)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-29922","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"refsource":"MISC","name":"https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html","url":"https://doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html"},{"refsource":"MISC","name":"https://github.com/rust-lang/rust/pull/83652","url":"https://github.com/rust-lang/rust/pull/83652"},{"refsource":"MISC","name":"https://github.com/rust-lang/rust/issues/83648","url":"https://github.com/rust-lang/rust/issues/83648"},{"refsource":"MISC","name":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md","url":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md"},{"refsource":"MISC","name":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis","url":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"},{"refsource":"GENTOO","name":"GLSA-202210-09","url":"https://security.gentoo.org/glsa/202210-09"}]}},"nvd":{"publishedDate":"2021-08-07 17:15:00","lastModifiedDate":"2022-11-07 16:36:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.1,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.2},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":6.4},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:rust-lang:rust:*:*:*:*:*:*:*:*","versionEndExcluding":"1.53.0","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"29922","Ordinal":"205152","Title":"CVE-2021-29922","CVE":"CVE-2021-29922","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"29922","Ordinal":"1","NoteData":"library/std/src/net/parser.rs in Rust before 1.53.0 does not properly consider extraneous zero characters at the beginning of an IP address string, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"29922","Ordinal":"2","NoteData":"2021-08-07","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"29922","Ordinal":"3","NoteData":"2021-08-07","Type":"Other","Title":"Modified"}]}}}