Vulnerability Details : CVE-2021-28905
Potential exploit
In function lys_node_free() in libyang <= v1.0.225, it asserts that the value of node->module can't be NULL. But in some cases, node->module can be null, which triggers a reachable assertion (CWE-617).
Products affected by CVE-2021-28905
- cpe:2.3:a:cesnet:libyang:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-28905
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 32 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-28905
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:N/I:N/A:P |
10.0
|
2.9
|
NIST | |
|
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2021-28905
-
The product contains an assert() or similar statement that can be triggered by an attacker, which leads to an application exit or other behavior that is more severe than necessary.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-28905
-
https://github.com/CESNET/libyang/issues/1452
“lys_node_free” function's arg node->module can be NULL, which leads to assert. · Issue #1452 · CESNET/libyang · GitHubExploit;Issue Tracking;Patch;Third Party Advisory
-
https://security.gentoo.org/glsa/202107-54
libyang: Multiple vulnerabilities (GLSA 202107-54) — Gentoo securityThird Party Advisory
Jump to