Vulnerability Details CVE-2019-20392
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 36.3%
CVSS Severity
CVSS v3 Score 6.5
CVSS v2 Score 4.3
References
- https://bugzilla.redhat.com/show_bug.cgi?id=1793922
- https://github.com/CESNET/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5
- https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
- https://github.com/CESNET/libyang/issues/723
- https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1793922
- https://github.com/CESNET/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5
- https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
- https://github.com/CESNET/libyang/issues/723
- https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
Products affected by CVE-2019-20392
-
cpe:2.3:a:cesnet:libyang:0.11
-
cpe:2.3:a:cesnet:libyang:0.12
-
cpe:2.3:a:cesnet:libyang:0.13
-
cpe:2.3:a:cesnet:libyang:0.14
-
cpe:2.3:a:cesnet:libyang:0.15
-
cpe:2.3:a:cesnet:libyang:0.16