Описание
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
A flaw was found in golang. Extraneous zero characters at the beginning of an IP address octet are not properly considered which could allow an attacker to bypass IP-based access controls. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Отчет
This vulnerability potentially affects any component written in Go that uses the net standard library and ParseIP / ParseCIDR functions. There are components which might not use these functions or might use them to parse IP addresses and not manage them in any way (only store information about the ip address) . This reduces the severity of this vulnerability to Low for the following offerings:
- OpenShift distributed tracing (formerly OpenShift Jaeger)
- OpenShift Migration Toolkit for Containers
- OpenShift Container Platform
Меры по смягчению последствий
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Migration Toolkit for Containers | rhmtc/openshift-migration-must-gather-rhel8 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-registry-rhel8 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-plugin-for-microsoft-azure-rhel8 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-restic-restore-helper-rhel8 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-migration-velero-rhel8 | Affected | ||
| Migration Toolkit for Containers | rhmtc/openshift-velero-plugin-rhel8 | Affected | ||
| OpenShift Serverless | knative-eventing | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-operator | Affected | ||
| Red Hat Advanced Cluster Security 3 | scanner | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which (in some situations) allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR.
Go before 1.17 does not properly consider extraneous zero characters a ...
EPSS
7.3 High
CVSS3