CVE-2019-20795 — Use After Free in Project Iproute2

CWE-416 — Use After Free10 documents9 sources

Severity

4.4MEDIUMNVD

EPSS

0.0%

top 91.61%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Iproute2 Project Iproute2 Canonical Ubuntu Linux

Timeline

PublishedMay 9

Latest updateDec 14

Description

iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetns.c. NOTE: security relevance may be limited to certain uses of setuid that, although not a default, are sometimes a configuration option offered to end users. Even when setuid is used, other factors (such as C library configuration) may block exploitability.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:HExploitability: 0.8 | Impact: 3.6

Affected Packages2 packages

▶NVDiproute2_project/iproute2< 5.1.0

▶Debianiproute2_project/iproute2< 5.2.0-1+3

Also affects: Ubuntu Linux 18.04

Patches

Patch: git.kernel.org ↗Patch: git.kernel.org ↗

🔴Vulnerability Details

GHSA

GHSA-7x5p-w7r4-hq6m: iproute2 before 5↗2022-05-24

▶

OSV

CVE-2019-20795: iproute2 before 5↗2020-05-09

▶

CVEList

CVE-2019-20795: iproute2 before 5↗2020-05-09

▶

📋Vendor Advisories

CISA ICS

Siemens SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP V3.1↗2023-12-14

▶

Ubuntu

IPRoute vulnerability↗2020-05-13

▶

Red Hat

iproute: use-after-free in get_netnsid_from_name in ip/ipnetns.c↗2019-05-05

▶

Debian

CVE-2019-20795: iproute2 - iproute2 before 5.1.0 has a use-after-free in get_netnsid_from_name in ip/ipnetn...↗2019

▶

💬Community

Bugzilla

CVE-2019-20795 iproute: use-after-free in get_netnsid_from_name in ip/ipnetns.c [fedora-all]↗2020-08-12

▶

Bugzilla

CVE-2019-20795 iproute: use-after-free in get_netnsid_from_name in ip/ipnetns.c↗2020-08-12

▶