CVE-2021-29923: 
NixOS vulnerability analysis and mitigation

Go before 1.17 does not properly consider extraneous zero characters at the beginning of an IP address octet, which allows attackers to bypass access control that is based on IP addresses, because of unexpected octal interpretation. This affects net.ParseIP and net.ParseCIDR functions. The vulnerability was discovered in 2019 and assigned CVE-2021-29923 with a CVSS score of 7.5 HIGH (NVD).

The vulnerability stems from improper input validation in Go's standard library 'net' package where IP address octets with leading zeros are interpreted as octal numbers. For example, when an attacker submits '00000177.0.0.1', which should represent '127.0.0.1', net.ParseCIDR interprets it as '177.0.0.1', leading to potential security bypasses (SICK Advisory).

The vulnerability can allow attackers to bypass IP-based access control mechanisms in applications that rely on Go's net.ParseIP and net.ParseCIDR functions. This could lead to unauthorized access to protected resources or bypass of security controls that depend on IP address validation (SICK Advisory).

The vulnerability was fixed in Go version 1.17. Users are advised to upgrade to Go 1.17 or later versions. For systems that cannot be immediately upgraded, careful validation of IP addresses before passing them to the affected functions is recommended (Go Review).

The vulnerability was presented at DEF CON 29, highlighting its significance in the security community. Multiple Linux distributions including Fedora and Gentoo have issued security advisories and patches for this vulnerability (Fedora Update, Gentoo Advisory).