6.5

CVE-2019-20398

Exploit
A NULL pointer dereference is present in libyang before v1.0-r3 in the function lys_extension_instances_free() due to a copy of unresolved extensions in lys_restr_dup(). Applications that use libyang to parse untrusted input yang files may crash.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
CesnetLibyang Version0.11 Updater1
CesnetLibyang Version0.11 Updater2
CesnetLibyang Version0.12 Updater1
CesnetLibyang Version0.12 Updater2
CesnetLibyang Version0.13 Updater1
CesnetLibyang Version0.13 Updater2
CesnetLibyang Version0.14 Updater1
CesnetLibyang Version0.15 Updater1
CesnetLibyang Version0.16 Updater1
CesnetLibyang Version0.16 Updater2
CesnetLibyang Version0.16 Updater3
CesnetLibyang Version1.0 Updater1
CesnetLibyang Version1.0 Updater2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 1.82% 0.759
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 6.5 2.8 3.6
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
nvd@nist.gov 4.3 8.6 2.9
AV:N/AC:M/Au:N/C:N/I:N/A:P
CWE-476 NULL Pointer Dereference

The product dereferences a pointer that it expects to be valid but is NULL.

https://github.com/CESNET/libyang/compare/v1.0-r2...v1.0-r3
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
https://bugzilla.redhat.com/show_bug.cgi?id=1793935
Patch
Third Party Advisory
Issue Tracking
https://github.com/CESNET/libyang/commit/7852b272ef77f8098c35deea6c6f09cb78176f08
Patch
https://github.com/CESNET/libyang/issues/773
Third Party Advisory
Exploit