Vulnerability Details CVE-2019-19334
In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.006
EPSS Ranking 69.5%
CVSS Severity
CVSS v3 Score 8.1
CVSS v2 Score 7.5
References
- https://access.redhat.com/errata/RHSA-2019:4360
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334
- https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/
- https://access.redhat.com/errata/RHSA-2019:4360
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334
- https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/
Products affected by CVE-2019-19334
-
cpe:2.3:a:cesnet:libyang:0.11
-
cpe:2.3:a:cesnet:libyang:0.12
-
cpe:2.3:a:cesnet:libyang:0.13
-
cpe:2.3:a:cesnet:libyang:0.14
-
cpe:2.3:a:cesnet:libyang:0.15
-
cpe:2.3:a:cesnet:libyang:0.16
-
cpe:2.3:a:cesnet:libyang:1.0
-
cpe:2.3:o:fedoraproject:fedora:31
-
cpe:2.3:o:redhat:enterprise_linux:8.0