Net::CIDR::Set Leading Zero Vulnerability in IP CIDR Address Handling

A vulnerability exists in Net::CIDR::Set versions 0.10 through 0.13 for Perl, where the module improperly processes leading zeroes in IP CIDR address strings. This flaw can enable attackers to circumvent access controls based on IP addresses. The misinterpretation of leading zeros, which denote octal values, could confuse users intending to use decimal notation. Net::CIDR::Set incorporates code from Net::CIDR::Lite, which is affected by a similar vulnerability (CVE-2021-47154).

Impact

Exploitation of this vulnerability could lead to unauthorized access by bypassing IP-based access controls.

Reproduction

To reproduce this vulnerability, use Net::CIDR::Set version 0.10 through 0.13. Add an IP address with a leading zero, such as '010.0.0.1', to a CIDR set. The module will misinterpret the address, treating it as '8.0.0.1' due to the octal notation, potentially allowing access control bypass.

Remediation

Users can upgrade to Net::CIDR::Set version 0.14 or later, which addresses this vulnerability by disallowing IPv4 addresses with leading zeros in the quads.