CVE-2019-19333 — Stack-based Buffer Overflow in Libyang

CWE-121 — Stack-based Buffer Overflow CWE-787 — Out-of-bounds Write7 documents6 sources

Severity

9.8CRITICALNVD

EPSS

0.7%

top 26.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cesnet Libyang Debian Libyang RED HAT Libyang +1 more

Timeline

PublishedDec 6

Latest updateMay 24

Description

In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "bits". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

▶debiandebian/libyang< libyang 0.16.105-2 (bullseye)

▶Debiancesnet/libyang< 0.16.105-2+2

▶NVDcesnet/libyang7 versions+6

▶CVEListV5red_hat/libyanglibyang all versions before 1.0-r5

Also affects: Enterprise Linux 8.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-68cw-w9pp-fc96: In all versions of libyang before 1↗2022-05-24

▶

OSV

CVE-2019-19333: In all versions of libyang before 1↗2019-12-06

▶

📋Vendor Advisories

Red Hat

libyang: stack-based buffer overflow in make_canonical when bits leaf type is used↗2019-12-05

▶

Debian

CVE-2019-19333: libyang - In all versions of libyang before 1.0-r5, a stack-based buffer overflow was disc...↗2019

▶

💬Community

Bugzilla

CVE-2019-19333 libyang: stack-based buffer overflow in make_canonical when bits leaf type is used [fedora-all]↗2019-12-06

▶

Bugzilla

CVE-2019-19333 libyang: stack-based buffer overflow in make_canonical when bits leaf type is used↗2019-12-04

▶