Double-Free Vulnerability in libyang Affects Applications Handling YANG Files
CVE-2019-20393

8.8HIGH

Key Information:

Vendor: Cesnet
Status: Libyang
Vendor: CVE Published:; 22 January 2020

What is CVE-2019-20393?

A double-free vulnerability exists in the libyang library before version 1.0-r1, specifically within the yyparse() function. This flaw is triggered when an empty description is processed, potentially allowing applications that process untrusted YANG files to crash or execute arbitrary code. Users of libyang should update to the latest version to mitigate the risk associated with this vulnerability.

References

https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1

https://github.com/CESNET/libyang/issues/742

https://github.com/CESNET/libyang/commit/d9feacc4a590d35d...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2020
Vulnerability Reserved
Jan 22, 2020

CVE-2019-20393 Data

JSON

Cesnet

What is CVE-2019-20393?

References

CVSS V3.1

Timeline