CVE-2019-20395

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2019-20395
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20395.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2019-20395
Downstream
Published
2020-01-22T22:15:10Z
Modified
2025-09-16T07:03:01.885783Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

A stack consumption issue is present in libyang before v1.0-r1 due to the self-referential union type containing leafrefs. Applications that use libyang to parse untrusted input yang files may crash.

References

Affected packages

Debian:11 / libyang

Package

Name
libyang
Purl
pkg:deb/debian/libyang?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.176-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / libyang

Package

Name
libyang
Purl
pkg:deb/debian/libyang?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.176-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / libyang

Package

Name
libyang
Purl
pkg:deb/debian/libyang?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.176-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Git / github.com/cesnet/libyang

Affected ranges

Type
GIT
Repo
https://github.com/cesnet/libyang
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
4e610ccd87a2ba9413819777d508f71163fcc237

Affected versions

v0.*

v0.11-r1
v0.11-r2
v0.12-r1
v0.12-r2
v0.13-r1
v0.13-r2
v0.14-r1
v0.15-r1
v0.16-r1
v0.16-r2
v0.16-r3

Database specific 

{
    "vanir_signatures": [
        {
            "signature_version": "v1",
            "deprecated": false,
            "digest": {
                "line_hashes": [
                    "3709349080758321315407667873054799407",
                    "40654331277087705153599236626700139120",
                    "218179774092547475255011025591562155373",
                    "26945906380788539331119058460512143650",
                    "264360412021372370516957297717262205066",
                    "284379208038719699281704151082864052738",
                    "171523464213288179775304606129955718185",
                    "173219762027759162992708704487438489215",
                    "169767442580532088647275499892906396249",
                    "163540545431702451184062262278825169497",
                    "230432405834600232943716359155561282208",
                    "210958065997923273270503473910467040005",
                    "52705719169573697649606145238168379853",
                    "74978519002525096908372406906754533918",
                    "338968714568132339179493525815625457068",
                    "110431218070066215195198435093039810576",
                    "168996680281455421702825745518376836742",
                    "237265185966647641462833730081134853855",
                    "130432884066073796841987305543045007877",
                    "41856024564754209253740145975891080938",
                    "187918657215396913159733145370849044587",
                    "235627434437076040235478635208155584990",
                    "156231516063688709759703948455246765715",
                    "281878610022157967428454344263993798914",
                    "37651723104265209483492304430164809389",
                    "17285245695473915830116170919378033615",
                    "68990558883184452840172507034795811974",
                    "91835791136993315471851169704730021515",
                    "179910586640509158592462293263687892249",
                    "32072546804617593968369651922607475827",
                    "212636670241501265826527964257535120951",
                    "169169816915948622447376095793041624614",
                    "203215452072960001537708029648505410179",
                    "167325683983032162877898557235445539388",
                    "50591885780544046276219277659510187527",
                    "334471996539810398492372019661608692698"
                ],
                "threshold": 0.9
            },
            "signature_type": "Line",
            "source": "https://github.com/cesnet/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237",
            "target": {
                "file": "src/resolve.c"
            },
            "id": "CVE-2019-20395-1d76204d"
        },
        {
            "signature_version": "v1",
            "deprecated": false,
            "digest": {
                "function_hash": "35331683292158375526001179803226955979",
                "length": 2365.0
            },
            "signature_type": "Function",
            "source": "https://github.com/cesnet/libyang/commit/4e610ccd87a2ba9413819777d508f71163fcc237",
            "target": {
                "file": "src/resolve.c",
                "function": "resolve_superior_type"
            },
            "id": "CVE-2019-20395-59c63e27"
        }
    ]
}