The flaw, which may result in SSRF, has now been patched
A trio of Perl modules are probably weak to a critical upstream safety flaw in Net::Netmask, a Perl distribution used to parse, manipulate, and lookup IP community blocks.
The affected CPAN modules embrace Net-CIDR-Lite, used to merge IPv4 or IPv6 CIDR addresses; Net-IPAddress-Util, a version-agnostic IP tackle illustration; and Data-Validate-IP, an IPv4 and IPv6 validator, stated Perl developer Dave Rolsky in a blog post revealed yesterday (March 29).
The nine-year outdated, unauthenticated flaw has been remediated in Netmask v2.0, issued on March 20.
The improper enter validation bug, which probably impacts as much as 279,000 GitHub tasks, signifies that parsing an IP tackle with a number one zero ends in Netmask seeing a completely completely different IP.
Though Information-Validate-IP doesn’t misparse octal numbers, it may nonetheless be inclined to the Netmask flaw “relying on precisely how your code makes use of this distro”, stated Rolsky.
“This distribution returns false for any technique that features an octal quantity,” explains Rolsky. “So each and return false.
“I up to date the documentation to explicitly suggest that you just at all times name along with calling a way like ,” stated the developer.
Rolsky additionally famous that Web-CIDR-Lite is at present not being maintained till a brand new volunteer is discovered.
Different CPAN modules used for working with IP addresses and netmasks – Socket, Web-DNS, NetAddr-IP, Web-Subnet, and Web-Patricia – seem like unaffected, he added.
The Each day Swig has contacted Dave Rolsky for additional remark and this text might be up to date ought to we obtain a response.