Double-Free Vulnerability in libyang Affecting CESNET
CVE-2019-20394

8.8HIGH

Key Information:

Vendor: Cesnet
Status: Libyang
Vendor: CVE Published:; 22 January 2020

What is CVE-2019-20394?

A double-free vulnerability exists in the libyang library prior to version 1.0-r3, specifically within the yyparse() function, which can be triggered when a type statement is used within a notification statement. This vulnerability allows applications utilizing libyang to parse untrusted YANG files to experience potential crashes or unexpected behavior, including the execution of arbitrary code. Properly sanitizing input and updating to the latest version are critical steps for mitigating this risk.

References

https://github.com/CESNET/libyang/compare/v1.0-r2...v1.0-r3

https://github.com/CESNET/libyang/issues/769

https://github.com/CESNET/libyang/commit/6cc51b1757dfbb7c...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2020
Vulnerability Reserved
Jan 22, 2020

CVE-2019-20394 Data

JSON

Cesnet

What is CVE-2019-20394?

References

CVSS V3.1

Timeline