CVE-2019-20395 — Uncontrolled Recursion in Libyang

CWE-674 — Uncontrolled Recursion7 documents6 sources

Severity

6.5MEDIUMNVD

EPSS

0.2%

top 57.35%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Cesnet Libyang Debian Libyang

Timeline

PublishedJan 22

Latest updateMay 24

Description

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶debiandebian/libyang< libyang 1.0.176-1 (bullseye)

▶Debiancesnet/libyang< 1.0.176-1+2

▶NVDcesnet/libyang6 versions+5

🔴Vulnerability Details

GHSA

GHSA-3ffh-3h59-484g: A stack consumption issue is present in libyang before v1↗2022-05-24

▶

OSV

CVE-2019-20395: A stack consumption issue is present in libyang before v1↗2020-01-22

▶

📋Vendor Advisories

Red Hat

libyang: stack-overflow when parsing yang files with self-referential union types↗2019-03-08

▶

Debian

CVE-2019-20395: libyang - A stack consumption issue is present in libyang before v1.0-r1 due to the self-r...↗2019

▶

💬Community

Bugzilla

CVE-2019-20395 libyang: stack-overflow when parsing yang files with self-referential union types [fedora-all]↗2020-02-03

▶

Bugzilla

CVE-2019-20395 libyang: stack-overflow when parsing yang files with self-referential union types↗2020-01-22

▶