CVE-2019-20391 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Libyang

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 57.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cesnet Libyang Debian Libyang

Timeline

PublishedJan 22

Latest updateMay 24

Description

An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libyang< libyang 1.0.176-1 (bullseye)

▶Debiancesnet/libyang< 1.0.176-1+2

▶NVDcesnet/libyang7 versions+6

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-57jg-xr2w-54jg: An invalid memory access flaw is present in libyang before v1↗2022-05-24

▶

OSV

CVE-2019-20391: An invalid memory access flaw is present in libyang before v1↗2020-01-22

▶

📋Vendor Advisories

Red Hat

libyang: invalid memory access in resolve_feature_value() when a if-feature is used inside a bit↗2019-04-26

▶

Debian

CVE-2019-20391: libyang - An invalid memory access flaw is present in libyang before v1.0-r3 in the functi...↗2019

▶

💬Community

Bugzilla

CVE-2019-20391 libyang: invalid memory access in resolve_feature_value() when a if-feature is used inside a bit [fedora-all]↗2020-02-03

▶

Bugzilla

CVE-2019-20391 libyang: invalid memory access in resolve_feature_value() when a if-feature is used inside a bit↗2020-01-22

▶