ubuntu-cve-2021-4456
Vulnerability from osv_ubuntu
Published
2026-02-27 01:16
Modified
2026-03-20 04:52
Summary
Details

Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions addr2cidr and cidrlookup may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the cidrvalidate function. However, this mitigation is optional and not enforced by default. In practice, users may call addr2cidr or cidrlookup with untrusted input and without validation, incorrectly assuming that this is safe.


{
  "affected": [
    {
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "libnet-cidr-perl",
            "binary_version": "0.17-1ubuntu0.14.04.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:14.04:LTS",
        "name": "libnet-cidr-perl",
        "purl": "pkg:deb/ubuntu/libnet-cidr-perl@0.17-1ubuntu0.14.04.1~esm2?arch=source\u0026distro=esm-infra-legacy/trusty"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17-1ubuntu0.14.04.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.17-1"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "libnet-cidr-perl",
            "binary_version": "0.17-1ubuntu0.16.04.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:16.04:LTS",
        "name": "libnet-cidr-perl",
        "purl": "pkg:deb/ubuntu/libnet-cidr-perl@0.17-1ubuntu0.16.04.1~esm2?arch=source\u0026distro=esm-infra/xenial"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17-1ubuntu0.16.04.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.17-1"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "libnet-cidr-perl",
            "binary_version": "0.18-1ubuntu0.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:18.04:LTS",
        "name": "libnet-cidr-perl",
        "purl": "pkg:deb/ubuntu/libnet-cidr-perl@0.18-1ubuntu0.1~esm2?arch=source\u0026distro=esm-infra/bionic"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.18-1ubuntu0.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.18-1"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro",
        "binaries": [
          {
            "binary_name": "libnet-cidr-perl",
            "binary_version": "0.20-1ubuntu0.1~esm2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:Pro:20.04:LTS",
        "name": "libnet-cidr-perl",
        "purl": "pkg:deb/ubuntu/libnet-cidr-perl@0.20-1ubuntu0.1~esm2?arch=source\u0026distro=esm-infra/focal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.20-1ubuntu0.1~esm2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.20-1"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "libnet-cidr-perl",
            "binary_version": "0.21-1ubuntu0.2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:22.04:LTS",
        "name": "libnet-cidr-perl",
        "purl": "pkg:deb/ubuntu/libnet-cidr-perl@0.21-1ubuntu0.2?arch=source\u0026distro=jammy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21-1ubuntu0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.20-1",
        "0.21-1"
      ]
    },
    {
      "ecosystem_specific": {
        "availability": "No subscription required",
        "binaries": [
          {
            "binary_name": "libnet-cidr-perl",
            "binary_version": "0.21-2ubuntu0.2"
          }
        ]
      },
      "package": {
        "ecosystem": "Ubuntu:24.04:LTS",
        "name": "libnet-cidr-perl",
        "purl": "pkg:deb/ubuntu/libnet-cidr-perl@0.21-2ubuntu0.2?arch=source\u0026distro=noble"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.21-2ubuntu0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.21-2"
      ]
    }
  ],
  "aliases": [],
  "details": "Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses. The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.",
  "id": "UBUNTU-CVE-2021-4456",
  "modified": "2026-03-20T04:52:23Z",
  "published": "2026-02-27T01:16:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://ubuntu.com/security/CVE-2021-4456"
    },
    {
      "type": "REPORT",
      "url": "https://www.cve.org/CVERecord?id=CVE-2021-4456"
    },
    {
      "type": "REPORT",
      "url": "https://lists.security.metacpan.org/cve-announce/msg/37425715/"
    },
    {
      "type": "REPORT",
      "url": "https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/"
    },
    {
      "type": "REPORT",
      "url": "https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c467017d42bd10"
    },
    {
      "type": "REPORT",
      "url": "https://metacpan.org/dist/Net-CIDR/changes"
    },
    {
      "type": "ADVISORY",
      "url": "https://ubuntu.com/security/notices/USN-8110-1"
    }
  ],
  "related": [
    "USN-8110-1"
  ],
  "schema_version": "1.7.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "medium",
      "type": "Ubuntu"
    }
  ],
  "upstream": [
    "CVE-2021-4456"
  ]
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…