8.8

CVE-2019-20397

A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CesnetLibyang Version0.11 Updater1
CesnetLibyang Version0.11 Updater2
CesnetLibyang Version0.12 Updater1
CesnetLibyang Version0.12 Updater2
CesnetLibyang Version0.13 Updater1
CesnetLibyang Version0.13 Updater2
CesnetLibyang Version0.14 Updater1
CesnetLibyang Version0.15 Updater1
CesnetLibyang Version0.16 Updater1
CesnetLibyang Version0.16 Updater2
CesnetLibyang Version0.16 Updater3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 2.49% 0.825
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 8.8 2.8 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvd@nist.gov 6.8 8.6 6.4
AV:N/AC:M/Au:N/C:P/I:P/A:P
CWE-415 Double Free

The product calls free() twice on the same memory address.

https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1793928
Patch
Third Party Advisory
Issue Tracking
https://github.com/CESNET/libyang/commit/88bd6c548ba79bce176cd875e9b56e7e0ef4d8d4
Patch
Third Party Advisory
https://github.com/CESNET/libyang/issues/739
Third Party Advisory