Vulnerability Description
In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Cesnet | Libyang | 0.11 |
| Redhat | Enterprise Linux | 8.0 |
| Fedoraproject | Fedora | 31 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHSA-2019:4360
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334Issue TrackingPatchThird Party Advisory
- https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059dPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://access.redhat.com/errata/RHSA-2019:4360
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-19334Issue TrackingPatchThird Party Advisory
- https://github.com/CESNET/libyang/commit/6980afae2ff9fcd6d67508b0a3f694d75fd059dPatchThird Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedorapro
FAQ
What is CVE-2019-19334?
CVE-2019-19334 is a vulnerability with a CVSS score of 9.8 (CRITICAL). In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse...
How severe is CVE-2019-19334?
CVE-2019-19334 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-19334?
Check the references section above for vendor advisories and patch information. Affected products include: Cesnet Libyang, Redhat Enterprise Linux, Fedoraproject Fedora.