Strix
26.1K

CVE-2019-19334

CRITICALCVSS 9.8/10EPSS 3.87%

Last modified

CVE-2019-19334 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.. EPSS estimates a 3.87% chance of exploitation in the next 30 days.

Description

In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
3.87%

88.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersionsUpdate
CesnetLibyang0.11R1
CesnetLibyang0.12R1
CesnetLibyang0.13R1
CesnetLibyang0.14R1
CesnetLibyang0.15R1
CesnetLibyang0.16R1
CesnetLibyang1.0R1
RedhatEnterprise Linux8.0
FedoraprojectFedora31

References

Timeline

Published
Last Modified
Status
Modified

Frequently Asked Questions

What is CVE-2019-19334?
In all versions of libyang before 1.0-r5, a stack-based buffer overflow was discovered in the way libyang parses YANG files with a leaf of type "identityref". An application that uses libyang to parse untrusted YANG files may be vulnerable to this flaw, which would allow an attacker to cause a denial of service or possibly gain code execution.
How severe is CVE-2019-19334?
CVE-2019-19334 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 3.87% probability of exploitation in the next 30 days.
How do I fix CVE-2019-19334?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2019-19334?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST