Net::CIDR::Lite Improper CIDR Mask Validation Leading to IP ACL Bypass Vulnerability

A vulnerability exists in Net::CIDR::Lite for Perl, specifically in versions prior to 0.24, where the library fails to properly validate CIDR mask inputs. This oversight allows zero-padded masks, such as '/00' and '/01', to pass validation and be parsed into prefixes that could bypass IP Access Control Lists (ACLs). The issue arises because the validation process does not account for extraneous zero characters, enabling certain masks to be interpreted differently than intended. As a result, functions like find() may incorrectly match or miss addresses.

Impact

Exploitation of this vulnerability could lead to unintended IP ACL bypass, allowing for unauthorized access or actions based on misinterpreted CIDR mask values.

Reproduction

To reproduce this vulnerability, create a new Net::CIDR::Lite object and add a CIDR range using a zero-padded mask, such as '/00' or '/01'. The library will accept and parse these masks incorrectly, potentially allowing IP ACL bypass when using the find() or bin_find() methods.

Remediation

Users are advised to update to Net::CIDR::Lite version 0.24 or later, where this vulnerability has been addressed.