Multiple vulnerabilities in CESNET libyang
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 5 |
| CVE-ID | CVE-2019-20392 CVE-2019-20393 CVE-2019-20395 CVE-2019-20396 CVE-2019-20397 |
| CWE-ID | CWE-119 CWE-415 CWE-400 CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
libyang Universal components / Libraries / Libraries used by multiple products |
| Vendor | CESNET |
Security Bulletin
This security bulletin contains information about 5 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU34862
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20392
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
MitigationInstall update from vendor's website.
Vulnerable software versionslibyang: 0.11 - 0.16
CPE2.3- cpe:2.3:a:cesnet:libyang:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:*:*:*:*:*:*:*
http://bugzilla.redhat.com/show_bug.cgi?id=1793922
http://github.com/CESNET/libyang/commit/32fb4993bc8bb49e93e84016af3c10ea53964be5
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/723
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Double Free
EUVDB-ID: #VU34863
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-20393
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionslibyang: 0.11 - 0.16
CPE2.3- cpe:2.3:a:cesnet:libyang:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:*:*:*:*:*:*:*
http://bugzilla.redhat.com/show_bug.cgi?id=1793930
http://github.com/CESNET/libyang/commit/d9feacc4a590d35dbc1af21caf9080008b4450ed
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/742
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Resource exhaustion
EUVDB-ID: #VU34865
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20395
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.
MitigationInstall update from vendor's website.
Vulnerable software versionslibyang: 0.11 - 0.16
CPE2.3- cpe:2.3:a:cesnet:libyang:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:*:*:*:*:*:*:*
http://bugzilla.redhat.com/show_bug.cgi?id=1793924
http://github.com/CESNET/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/724
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Input validation error
EUVDB-ID: #VU34866
Risk: Medium
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2019-20396
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.
A segmentation fault is present in yyparse in libyang before v1.0-r1 due to a malformed pattern statement value during lys_parse_path parsing.
MitigationInstall update from vendor's website.
Vulnerable software versionslibyang: 0.11 - 0.16
CPE2.3- cpe:2.3:a:cesnet:libyang:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:*:*:*:*:*:*:*
http://github.com/CESNET/libyang/commit/a1f17693904ed6fecc8902c747fc50a8f20e6af8
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/740
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Double Free
EUVDB-ID: #VU34867
Risk: High
CVSSv4.0: 6.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2019-20397
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an organization field is not terminated. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.
MitigationInstall update from vendor's website.
Vulnerable software versionslibyang: 0.11 - 0.16
CPE2.3- cpe:2.3:a:cesnet:libyang:0.11:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.12:*:*:*:*:*:*:*
- cpe:2.3:a:cesnet:libyang:0.13:*:*:*:*:*:*:*
http://bugzilla.redhat.com/show_bug.cgi?id=1793928
http://github.com/CESNET/libyang/commit/88bd6c548ba79bce176cd875e9b56e7e0ef4d8d4
http://github.com/CESNET/libyang/compare/v0.16-r3...v1.0-r1
http://github.com/CESNET/libyang/issues/739
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
