Denial of Service Vulnerability in libyang Affects CESNET
CVE-2021-28904

7.5HIGH

Key Information:

Vendor: Cesnet
Status: Libyang
Vendor: CVE Published:; 20 May 2021

What is CVE-2021-28904?

The vulnerability in libyang arises from a failure to validate the NULL value of the revision parameter in the ext_get_plugin() function. When this parameter is NULL, a comparison using strcmp can cause unexpected crashes, potentially leading to service disruption. Users of libyang versions up to 1.0.225 should review their implementations and consider applying measures to mitigate this issue. For further details, consult the related resources, including the Gentoo security advisory and the GitHub issue discussing the vulnerability.

References

https://github.com/CESNET/libyang/issues/1451

x_refsource_CONFIRM

https://security.gentoo.org/glsa/202107-54

vendor-advisoryx_refsource_GENTOO

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2021
Vulnerability Reserved
Mar 19, 2021

CVE-2021-28904 Data

JSON

Cesnet

What is CVE-2021-28904?

References

CVSS V3.1

Timeline