8.8

CVE-2019-20393

Exploit
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CesnetLibyang Version0.11 Updater1
CesnetLibyang Version0.11 Updater2
CesnetLibyang Version0.12 Updater1
CesnetLibyang Version0.12 Updater2
CesnetLibyang Version0.13 Updater1
CesnetLibyang Version0.13 Updater2
CesnetLibyang Version0.14 Updater1
CesnetLibyang Version0.15 Updater1
CesnetLibyang Version0.16 Updater1
CesnetLibyang Version0.16 Updater2
CesnetLibyang Version0.16 Updater3
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.29% 0.519
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-415 Double Free

The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.

https://bugzilla.redhat.com/show_bug.cgi?id=1793930
Patch
Third Party Advisory
Issue Tracking
https://github.com/CESNET/libyang/issues/742
Third Party Advisory
Exploit