Vulnerability CVE-2021-29921

Vulnerability Name:

CVE-2021-29921 (CCN-201083)

Assigned:

2021-04-30

Published:

2021-04-30

Updated:

2023-05-03

Summary:

CVSS v3 Severity:

9.8 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
8.8 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

9.1 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
8.2 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

9.1 Critical (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N)
8.2 High (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:P/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

7.5 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

9.4 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2021-29921

Source: cve@mitre.org
Type: Issue Tracking, Patch, Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Vendor Advisory
cve@mitre.org

Source: XF
Type: UNKNOWN
python-cve202129921-ssrf(201083)

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: CCN
Type: cpython GIT Repository
bpo-36384: Remove check for leading zeroes in IPv4 addresses #12577

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Exploit, Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Vendor Advisory
cve@mitre.org

Source: cve@mitre.org
Type: UNKNOWN
cve@mitre.org

Source: cve@mitre.org
Type: Third Party Advisory
cve@mitre.org

Source: cve@mitre.org
Type: Exploit, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Sick.Codes Web site
CVE-2021-29921 python stdlib ipaddress Improper Input Validation of octal literals in python 3.8.0 thru v3.10 results in indeterminate SSRF & RFI

Source: CCN
Type: IBM Security Bulletin 6467281 (Spectrum Protect Plus)
Vulnerabilities in Python, Tornado, and Urllib3 affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore

Source: CCN
Type: IBM Security Bulletin 6551876 (Cloud Pak for Security)
Cloud Pak for Security uses packages that are vulnerable to multiple CVEs

Source: CCN
Type: IBM Security Bulletin 6588167 (Cloud Private)
IBM Cloud Private is vulnerable to server-side request forgery due to Python (CVE-2021-29921)

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Oracle CPUApr2022
Oracle Critical Patch Update Advisory - April 2022

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Oracle CPUJan2022
Oracle Critical Patch Update Advisory - January 2022

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Source: CCN
Type: Oracle CPUJul2021
Oracle Critical Patch Update Advisory - July 2021

Source: CCN
Type: Oracle CPUJul2022
Oracle Critical Patch Update Advisory - July 2022

Source: cve@mitre.org
Type: UNKNOWN
cve@mitre.org

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: cve@mitre.org
Type: Patch, Third Party Advisory
cve@mitre.org

Vulnerable Configuration:

Configuration RedHat 1:

cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

Configuration RedHat 3:

cpe:/a:redhat:enterprise_linux:8::crb:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:cloud_private:3.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.1:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_private:3.2.2:cd:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:spectrum_protect_plus:10.1.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:769	P	Security update for vsftpd (Important)	2022-09-20
oval:org.opensuse.security:def:3670	P	Security update for containerd, docker and runc (Important)	2022-07-08
oval:org.opensuse.security:def:4574	P	Security update for the Linux Kernel (Live Patch 28 for SLE 12 SP5) (Important)	2022-04-14
oval:org.opensuse.security:def:6162	P	Security update for xen (Important)	2022-02-17
oval:org.opensuse.security:def:113316	P	python39-3.9.7-2.1 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:111868	P	Security update for python39 (Important)	2022-01-07
oval:com.redhat.rhsa:def:20214160	P	RHSA-2021:4160: python39:3.9 and python39-devel:3.9 security update (Moderate)	2021-11-09
oval:com.redhat.rhsa:def:20214162	P	RHSA-2021:4162: python38:3.8 and python38-devel:3.8 security update (Moderate)	2021-11-09
oval:org.opensuse.security:def:106726	P	Security update for python-Pygments (Important)	2021-10-20
oval:org.opensuse.security:def:101500	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:64759	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:101801	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:73881	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:65663	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:74731	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:67251	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:1123	P	Security update for python39 (Important)	2021-09-03
oval:org.opensuse.security:def:76319	P	Security update for python39 (Important)	2021-09-03

BACK