Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2019-19334

In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.

Published

2019-12-06T16:15:10.920

Last Modified

2024-11-21T04:34:35.840

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.8 (CRITICAL)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:P/I:P/A:P

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

10.0

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-121
Type: Primary
CWE-787

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	cesnet	libyang	0.11	Yes
Application	cesnet	libyang	0.11	Yes
Application	cesnet	libyang	0.12	Yes
Application	cesnet	libyang	0.12	Yes
Application	cesnet	libyang	0.13	Yes
Application	cesnet	libyang	0.13	Yes
Application	cesnet	libyang	0.14	Yes
Application	cesnet	libyang	0.15	Yes
Application	cesnet	libyang	0.16	Yes
Application	cesnet	libyang	0.16	Yes
Application	cesnet	libyang	0.16	Yes
Application	cesnet	libyang	1.0	Yes
Application	cesnet	libyang	1.0	Yes
Application	cesnet	libyang	1.0	Yes
Application	cesnet	libyang	1.0	Yes
Operating System	redhat	enterprise_linux	8.0	Yes
Operating System	fedoraproject	fedora	31	Yes

References

https://access.redhat.com/errata/RHSA-2019:4360 ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334 Issue Tracking, Patch, Third Party Advisory ([email protected])
https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6 Patch, Third Party Advisory ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/ ([email protected])
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/ ([email protected])
https://access.redhat.com/errata/RHSA-2019:4360 (af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334 Issue Tracking, Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059d6 Patch, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PETB6TVMFV5KUD4IKVP2JPLBCYHUGSAJ/ (af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RL54JMS7XW7PI6JC4BFSNNLSX5AINQUL/ (af854a3a-2127-422b-91ae-364da2661108)