CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
76.3%
library/std/src/net/parser.rs in Rust before 1.53.0 does not properly
consider extraneous zero characters at the beginning of an IP address
string, which (in some situations) allows attackers to bypass access
control that is based on IP addresses, because of unexpected octal
interpretation.
defcon.org/html/defcon-29/dc-29-speakers.html#kaoudis
doc.rust-lang.org/beta/std/net/struct.Ipv4Addr.html
github.com/rust-lang/rust/issues/83648
github.com/rust-lang/rust/pull/83652
github.com/sickcodes/security/blob/master/advisories/SICK-2021-015.md
launchpad.net/bugs/cve/CVE-2021-29922
nvd.nist.gov/vuln/detail/CVE-2021-29922
security-tracker.debian.org/tracker/CVE-2021-29922
www.cve.org/CVERecord?id=CVE-2021-29922
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
EPSS
Percentile
76.3%