The Python standard library ipaddress also suffers from the critical IP address validation vulnerability identical to the flaw that was reported in the "netmask" library earlier this year.
The researchers who had discovered the critical flaw in netmask, also discovered the same flaw in this Python module and have procured a vulnerability identifier: CVE-2021-29921.
The regression bug crept into Python 3.x's ipaddress module as a result of a change made in 2019 by Python maintainers.
Leading zeroes stripped from IP addresses
In March, BleepingComputer had first reported on a critical IP validation vulnerability in the netmask library used by thousands of applications.
The vulnerability, tracked by CVE-2021-28918 (Critical), CVE-2021-29418 (Medium), and CVE-2021-29424 (High) existed in both npm and Perl versions of netmask, and some other similar libraries.
It turns out, the ipaddress standard library introduced in Python 3.3 is also impacted by this vulnerability, as disclosed this week by Victor Viale, Sick Codes, Kelly Kaoudis, John Jackson, and Nick Sahler.
Tracked as CVE-2021-29921, the bug concerns improper parsing of IP addresses by the ipaddress standard library.
Python's ipaddress module provides developers with functions to easily create IP addresses, networks, and interfaces; and to parse/normalize IP addresses inputted in different formats.
Python standard library python impacted critical address validation vulnerability