NULL Pointer Dereference in libyang Affects Application Stability
CVE-2019-20398

6.5MEDIUM

Key Information:

Vendor: Cesnet
Status: Libyang
Vendor: CVE Published:; 22 January 2020

What is CVE-2019-20398?

A NULL pointer dereference vulnerability exists in libyang prior to version 1.0-r3, specifically in the function lys_extension_instances_free(). It arises from a flaw in how unresolved extensions are copied in lys_restr_dup(). This issue can potentially lead to application crashes, especially in environments that utilize libyang to parse untrusted YANG files.

References

https://github.com/CESNET/libyang/compare/v1.0-r2...v1.0-r3

https://github.com/CESNET/libyang/commit/7852b272ef77f809...

https://github.com/CESNET/libyang/issues/773

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jan 22, 2020
Vulnerability Reserved
Jan 22, 2020

CVE-2019-20398 Data

JSON

Cesnet

What is CVE-2019-20398?

References

CVSS V3.1

Timeline