mirror of
https://github.com/OMGeeky/advisory-db.git
synced 2025-12-30 16:24:05 +01:00
30 lines
1.3 KiB
Markdown
30 lines
1.3 KiB
Markdown
```toml
|
|
[advisory]
|
|
id = "CVE-2021-29922"
|
|
package = "std"
|
|
date = "2020-01-31"
|
|
url = "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29922"
|
|
keywords = ["IpAddr", "SSRF", "RFI", "LFI"]
|
|
|
|
[versions]
|
|
patched = [">= 1.53.0"]
|
|
|
|
[affected]
|
|
[affected.functions]
|
|
"std::net::IpAddr::from_str" = ["<= 1.52.1"]
|
|
"std::net::Ipv4Addr::from_str" = ["<= 1.52.1"]
|
|
"std::net::Ipv6Addr::from_str" = ["<= 1.52.1"]
|
|
```
|
|
|
|
# Improper Input Validation of octal literals in `std::net`
|
|
|
|
Improper input validation of octal strings in rust-lang standard library `net` allows unauthenticated remote attackers to perform
|
|
indeterminate SSRF, RFI, and LFI attacks on many programs that rely on rust-lang std::net.
|
|
IP address octets are left stripped instead of evaluated as valid IP addresses.
|
|
For example, an attacker submitting an IP address to a web application that relies on `std::net::IpAddr`,
|
|
could cause SSRF via inputting octal input data;
|
|
An attacker can submit exploitable IP addresses if the octet is 3 digits,
|
|
with the minimum exploitable octet being 08 (Denial of Service) and the maximum exploitable octet is 099 (Denial of Service).
|
|
For example, an attacker can submit `010.8.8.8`, which is `8.8.8.8` (RFI), yet `std::net::IpAddr` will evaluate this as `10.8.8.8`.
|
|
Equally, an attacker can input `127.0.026.1` which is really `127.0.22.1` but rust evaluates it as `127.0.26.1`.
|