Invalid Memory Access Flaw in Libyang Affects Applications Using Untrusted Input
CVE-2019-20392

6.5MEDIUM

Key Information:

Vendor: Cesnet
Status: Libyang
Vendor: CVE Published:; 22 January 2020

What is CVE-2019-20392?

An invalid memory access issue exists in libyang prior to version 1.0-r1, particularly within the function resolve_feature_value(). This flaw arises when an if-feature statement is executed inside a list key node where the specified feature is undefined. When applications that utilize libyang attempt to process untrusted input in yang files, they may experience crashes, posing significant risks to system stability.

References

https://github.com/CESNET/libyang/commit/32fb4993bc8bb49e...

https://github.com/CESNET/libyang/issues/723

https://bugzilla.redhat.com/show_bug.cgi?id=1793922

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2020
Vulnerability Reserved
Jan 22, 2020

CVE-2019-20392 Data

JSON

Cesnet

What is CVE-2019-20392?

References

CVSS V3.1

Timeline