{"api_version":"1","generated_at":"2026-04-22T19:19:50+00:00","cve":"CVE-2021-29923","urls":{"html":"https://cve.report/CVE-2021-29923","api":"https://cve.report/api/cve/CVE-2021-29923.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-29923","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-29923"},"summary":{"title":"CVE-2021-29923","description":"Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.","state":"PUBLIC","assigner":"cve@mitre.org","published_at":"2021-08-07 17:15:00","updated_at":"2023-11-07 03:32:00"},"problem_types":["NVD-CWE-noinfo"],"metrics":[],"references":[{"url":"https://go-review.googlesource.com/c/go/+/325829/","name":"https://go-review.googlesource.com/c/go/+/325829/","refsource":"MISC","tags":[],"title":"","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://golang.org/pkg/net/#ParseCIDR","name":"https://golang.org/pkg/net/#ParseCIDR","refsource":"MISC","tags":[],"title":"net · pkg.go.dev","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md","name":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md","refsource":"MISC","tags":[],"title":"security/SICK-2021-016.md at master · sickcodes/security · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","name":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","tags":[],"title":"Oracle Critical Patch Update Advisory - January 2022","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/golang/go/issues/43389","name":"https://github.com/golang/go/issues/43389","refsource":"MISC","tags":[],"title":"net: limit the size of ParseIP input? · Issue #43389 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://security.gentoo.org/glsa/202208-02","name":"GLSA-202208-02","refsource":"GENTOO","tags":[],"title":"Go: Multiple Vulnerabilities (GLSA 202208-02) — Gentoo security","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/","name":"FEDORA-2022-17d004ed71","refsource":"","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-1.18~rc1-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/","name":"FEDORA-2022-17d004ed71","refsource":"FEDORA","tags":[],"title":"[SECURITY] Fedora 36 Update: golang-1.18~rc1-2.fc36 - package-announce - Fedora Mailing-Lists","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis","name":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis","refsource":"MISC","tags":[],"title":"","mime":"","httpstatus":"-1","archivestatus":"404"},{"url":"https://github.com/golang/go/issues/30999","name":"https://github.com/golang/go/issues/30999","refsource":"MISC","tags":[],"title":"net: reject leading zeros in IP address parsers [freeze exception] · Issue #30999 · golang/go · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"429"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-29923","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-29923","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2021","cve_id":"29923","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"fedoraproject","cpe5":"fedora","cpe6":"36","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"29923","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"golang","cpe5":"go","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2021","cve_id":"29923","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"oracle","cpe5":"timesten_in-memory_database","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2021-29923","qid":"159397","title":"Oracle Enterprise Linux Security Update for go-toolset:ol8 (ELSA-2021-3585)"},{"cve":"CVE-2021-29923","qid":"239647","title":"Red Hat Update for go-toolset:rhel8 (RHSA-2021:3585)"},{"cve":"CVE-2021-29923","qid":"240023","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:0237)"},{"cve":"CVE-2021-29923","qid":"240030","title":"Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:0260)"},{"cve":"CVE-2021-29923","qid":"240106","title":"Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2022:0557)"},{"cve":"CVE-2021-29923","qid":"240171","title":"Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:0988)"},{"cve":"CVE-2021-29923","qid":"240173","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:0998)"},{"cve":"CVE-2021-29923","qid":"240177","title":"Red Hat Update for OpenStack Platform 16.1 (RHSA-2022:0989)"},{"cve":"CVE-2021-29923","qid":"240183","title":"Red Hat Update for OpenStack Platform 16.2 (RHSA-2022:0997)"},{"cve":"CVE-2021-29923","qid":"375831","title":"Golang Improper Input Validation Of Octal Literals Vulnerability"},{"cve":"CVE-2021-29923","qid":"377556","title":"Alibaba Cloud Linux Security Update for go-toolset:rhel8 (ALINUX3-SA-2021:0069)"},{"cve":"CVE-2021-29923","qid":"378883","title":"Splunk Enterprise August Third Party Package Updates (SVD-2023-0808)"},{"cve":"CVE-2021-29923","qid":"502089","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2021-29923","qid":"503185","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2021-29923","qid":"506078","title":"Alpine Linux Security Update for go"},{"cve":"CVE-2021-29923","qid":"671032","title":"EulerOS Security Update for golang (EulerOS-SA-2021-2633)"},{"cve":"CVE-2021-29923","qid":"671038","title":"EulerOS Security Update for golang (EulerOS-SA-2021-2661)"},{"cve":"CVE-2021-29923","qid":"671209","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1027)"},{"cve":"CVE-2021-29923","qid":"671229","title":"EulerOS Security Update for golang (EulerOS-SA-2022-1007)"},{"cve":"CVE-2021-29923","qid":"710584","title":"Gentoo Linux Go Multiple Vulnerabilities (GLSA 202208-02)"},{"cve":"CVE-2021-29923","qid":"770136","title":"Red Hat OpenShift Container Platform 4.9 Security Update (RHSA-2022:0557)"},{"cve":"CVE-2021-29923","qid":"900300","title":"CBL-Mariner Linux Security Update for golang 1.15.13"},{"cve":"CVE-2021-29923","qid":"900322","title":"CBL-Mariner Linux Security Update for golang 1.16.7"},{"cve":"CVE-2021-29923","qid":"903052","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (5242)"},{"cve":"CVE-2021-29923","qid":"907745","title":"Common Base Linux Mariner (CBL-Mariner) Security Update for golang (5242-1)"},{"cve":"CVE-2021-29923","qid":"940338","title":"AlmaLinux Security Update for go-toolset:rhel8 (ALSA-2021:3585)"},{"cve":"CVE-2021-29923","qid":"960681","title":"Rocky Linux Security Update for go-toolset:rhel8 (RLSA-2021:3585)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"cve@mitre.org","ID":"CVE-2021-29923","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"n/a","version":{"version_data":[{"version_value":"n/a"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"n/a"}]}]},"references":{"reference_data":[{"url":"https://golang.org/pkg/net/#ParseCIDR","refsource":"MISC","name":"https://golang.org/pkg/net/#ParseCIDR"},{"url":"https://www.oracle.com/security-alerts/cpujan2022.html","refsource":"MISC","name":"https://www.oracle.com/security-alerts/cpujan2022.html"},{"refsource":"MISC","name":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis","url":"https://defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis"},{"refsource":"MISC","name":"https://github.com/golang/go/issues/43389","url":"https://github.com/golang/go/issues/43389"},{"refsource":"MISC","name":"https://github.com/golang/go/issues/30999","url":"https://github.com/golang/go/issues/30999"},{"refsource":"MISC","name":"https://go-review.googlesource.com/c/go/+/325829/","url":"https://go-review.googlesource.com/c/go/+/325829/"},{"refsource":"MISC","name":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md","url":"https://github.com/sickcodes/security/blob/master/advisories/SICK-2021-016.md"},{"refsource":"FEDORA","name":"FEDORA-2022-17d004ed71","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4CHKSFMHZVOBCZSSVRE3UEYNKARTBMTM/"},{"refsource":"GENTOO","name":"GLSA-202208-02","url":"https://security.gentoo.org/glsa/202208-02"}]}},"nvd":{"publishedDate":"2021-08-07 17:15:00","lastModifiedDate":"2023-11-07 03:32:00","problem_types":["NVD-CWE-noinfo"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"HIGH","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH"},"exploitabilityScore":3.9,"impactScore":3.6},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:N/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"NONE","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5},"severity":"MEDIUM","exploitabilityScore":10,"impactScore":2.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:golang:go:*:*:*:*:*:*:*:*","versionEndExcluding":"1.17","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:oracle:timesten_in-memory_database:*:*:*:*:*:*:*:*","versionEndExcluding":"21.1.1.1.0","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"29923","Ordinal":"205153","Title":"CVE-2021-29923","CVE":"CVE-2021-29923","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"29923","Ordinal":"1","NoteData":"Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.","Type":"Description","Title":null},{"CveYear":"2021","CveId":"29923","Ordinal":"2","NoteData":"2021-08-07","Type":"Other","Title":"Published"},{"CveYear":"2021","CveId":"29923","Ordinal":"3","NoteData":"2022-02-07","Type":"Other","Title":"Modified"}]}}}