Net::CIDR::Lite IP Address Validation Vulnerability in Perl

A vulnerability exists in Net::CIDR::Lite for Perl, specifically in versions prior to 0.24, where the module fails to properly validate IP addresses and CIDR mask inputs. This oversight can lead to IP Access Control List (ACL) bypass. Inputs with trailing newlines or non-ASCII digit characters are accepted by the validators but are subsequently re-encoded by the parser, potentially altering the address representation. As a result, the find() and bin_find() methods may incorrectly match or miss addresses. For example, adding '::1' with a trailing newline as a CIDR and then searching for '::1a' would incorrectly return a match.

Impact

Exploitation of this vulnerability could allow for IP ACL bypass, where access controls based on IP addresses are incorrectly evaluated, potentially leading to unauthorized access or actions.

Reproduction

To reproduce this vulnerability, create a new Net::CIDR::Lite object and add a CIDR block that includes a trailing newline. Then, use the find() or bin_find() method to search for an address that includes non-ASCII digit characters. The search will incorrectly return a match, demonstrating the validation flaw.

Remediation

Users are advised to update to Net::CIDR::Lite version 0.24 or later, where this vulnerability has been addressed.