Vulnerabilities > CVE-2019-20398 - NULL Pointer Dereference vulnerability in Cesnet Libyang

CVSS 6.5 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

HIGH

network

low complexity

cesnet

CWE-476

NVD

Published: 2020-01-22

Updated: 2023-09-19

Summary

A NULL pointer dereference is present in libyang before v1.0-r3 in the function lys_extension_instances_free() due to a copy of unresolved extensions in lys_restr_dup(). Applications that use libyang to parse untrusted input yang files may crash.

Vulnerable Configurations

Part	Description	Count
Application	Cesnet Cesnet Libyang 1.0 Cesnet Libyang 0.16 Cesnet Libyang 0.13 Cesnet Libyang 0.12 Cesnet Libyang 0.11 Cesnet Libyang 0.14 Cesnet Libyang 0.15	13

Common Weakness Enumeration (CWE)

CWE-476 - NULL Pointer Dereference

References

https://github.com/CESNET/libyang/commit/7852b272ef77f8098c35deea6c6f09cb78176f08
https://bugzilla.redhat.com/show_bug.cgi?id=1793935
https://github.com/CESNET/libyang/compare/v1.0-r2...v1.0-r3
https://github.com/CESNET/libyang/issues/773
https://lists.debian.org/debian-lts-announce/2023/09/msg00019.html