CVE-2021-4456

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2021-4456

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-4456.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2021-4456

Downstream

DEBIAN-CVE-2021-4456

UBUNTU-CVE-2021-4456

Published

2026-02-27T01:16:13.553Z

Modified

2026-03-01T02:17:45.917153Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact.

The functions addr2cidr and cidrlookup may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.

The documentation advises validating untrusted CIDR strings with the cidrvalidate function. However, this mitigation is optional and not enforced by default. In practice, users may call addr2cidr or cidrlookup with untrusted input and without validation, incorrectly assuming that this is safe.

References

Affected packages

Git / github.com/svarshavchik/net-cidr

Affected ranges

Type: GIT
Repo: https://github.com/svarshavchik/net-cidr
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

e3648c6bc6bdd018f90cca4149c467017d42bd10

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2021-4456.json"