CVE-2019-20392 — Improper Restriction of Operations within the Bounds of a Memory Buffer in Libyang

CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 57.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cesnet Libyang Debian Libyang

Timeline

PublishedJan 22

Latest updateMay 24

Description

An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libyang< libyang 1.0.176-1 (bullseye)

▶Debiancesnet/libyang< 1.0.176-1+2

▶NVDcesnet/libyang6 versions+5

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

GHSA

GHSA-5xx9-wg6x-hj24: An invalid memory access flaw is present in libyang before v1↗2022-05-24

▶

OSV

CVE-2019-20392: An invalid memory access flaw is present in libyang before v1↗2020-01-22

▶

📋Vendor Advisories

Red Hat

libyang: invalid memory access when if-feature statement is used inside a list key node↗2019-03-07

▶

Debian

CVE-2019-20392: libyang - An invalid memory access flaw is present in libyang before v1.0-r1 in the functi...↗2019

▶

💬Community

Bugzilla

CVE-2019-20392 libyang: invalid memory access when if-feature statement is used inside a list key node [fedora-all]↗2020-02-03

▶

Bugzilla

CVE-2019-20392 libyang: invalid memory access when if-feature statement is used inside a list key node↗2020-01-22

▶