Vulnerability Details : CVE-2019-20396
A segmentation fault is present in yyparse in libyang before v1.0-r1 due to a malformed pattern statement value during lys_parse_path parsing.
Vulnerability category: OverflowMemory Corruption
Products affected by CVE-2019-20396
- cpe:2.3:a:cesnet:libyang:0.11:r1:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.11:r2:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:r1:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:r2:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:r1:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:r2:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.14:r1:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.15:r1:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.16:r1:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.16:r2:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.16:r3:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-20396
0.46%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 75 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-20396
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:N/I:N/A:P |
8.6
|
2.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2019-20396
-
The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.Assigned by: nvd@nist.gov (Primary)
References for CVE-2019-20396
-
https://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
Comparing v0.16-r3...v1.0-r1 · CESNET/libyang · GitHubThird Party Advisory
-
https://github.com/CESNET/libyang/commit/a1f17693904ed6fecc8902c747fc50a8f20e6af8
yang parser BUGFIX allocate more patterns than currently needed · CESNET/libyang@a1f1769 · GitHubPatch;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html
[SECURITY] [DLA 3572-1] libyang security update
-
https://github.com/CESNET/libyang/issues/740
Segmentation fault in yyparse due to malformed pattern statement value · Issue #740 · CESNET/libyang · GitHubExploit;Third Party Advisory
Jump to