Net::CIDR versions before 0.24 for Perl mishandle leading zeros in IP CIDR addresses, which may have unspecified impact. The functions `addr2cidr` and `cidrlookup` may return leading zeros in a CIDR string, which may in turn be parsed as octal numbers by subsequent users. In some cases an attacker may be able to leverage this to bypass access controls based on IP addresses.
The documentation advises validating untrusted CIDR strings with the `cidrvalidate` function. However, this mitigation is optional and not enforced by default. In practice, users may call `addr2cidr` or `cidrlookup` with untrusted input and without validation, incorrectly assuming that this is safe.
Attack Parameters
Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
None
No privileges needed
User Interaction
None
No user interaction needed
Impact Assessment
Confidentiality
Low
Partial data leak
Integrity
Low
Partial data modification
Availability
None
No disruption
CVSS Vector v3.1
Weakness Type (CWE)
References 3
https://blog.urth.org/2021/03/29/security-issues-in-perl-ip-address-distros/
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://github.com/svarshavchik/Net-CIDR/commit/e3648c6bc6bdd018f90cca4149c4670…
9b29abf9-4ab0-4765-b253-1875cd9b441e
https://metacpan.org/dist/Net-CIDR/changes
9b29abf9-4ab0-4765-b253-1875cd9b441e