8.8

CVE-2019-20393

Exploit
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CesnetLibyang Version0.11 Updater1
CesnetLibyang Version0.11 Updater2
CesnetLibyang Version0.12 Updater1
CesnetLibyang Version0.12 Updater2
CesnetLibyang Version0.13 Updater1
CesnetLibyang Version0.13 Updater2
CesnetLibyang Version0.14 Updater1
CesnetLibyang Version0.15 Updater1
CesnetLibyang Version0.16 Updater1
CesnetLibyang Version0.16 Updater2
CesnetLibyang Version0.16 Updater3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.79% 0.846
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-415 Double Free

The product calls free() twice on the same memory address.

https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1793930
Patch
Third Party Advisory
Issue Tracking
https://github.com/CESNET/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed
Patch
Third Party Advisory
https://github.com/CESNET/libyang/issues/742
Third Party Advisory
Exploit