CVE-2019-20892
- Source
- https://nvd.nist.gov/vuln/detail/CVE-2019-20892
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-20892.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2019-20892
- Downstream
- Published
- 2020-06-25T10:15:10Z
- Modified
- 2025-09-19T11:03:34.239634Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- [none]
- Details
-
net-snmp before 5.8.1.pre1 has a double free in usmfreeusmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
- References
-
- http://www.openwall.com/lists/oss-security/2020/06/25/4
- https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
- https://bugzilla.redhat.com/show_bug.cgi?id=1663027
- https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
- https://security.gentoo.org/glsa/202008-12
- https://sourceforge.net/p/net-snmp/bugs/2923/
- https://usn.ubuntu.com/4410-1/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://security.alpinelinux.org/vuln/CVE-2019-20892
Affected packages
Alpine:v3.11 / net-snmp
Package
- Name
- net-snmp
- Purl
- pkg:apk/alpine/net-snmp?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.8-r0
Affected versions
5.*
5.4.2.1-r0
5.4.2.1-r1
5.4.2.1-r2
5.4.2.1-r3
5.4.2.1-r4
5.5-r0
5.5-r1
5.5-r2
5.5-r3
5.5-r4
5.5-r5
5.6.1-r0
5.6.1-r1
5.6.1-r2
5.7-r0
5.7.1-r0
5.7.1-r1
5.7.1-r2
5.7.1-r3
5.7.1-r4
5.7.1-r5
5.7.1-r6
5.7.1-r7
5.7.2-r0
5.7.2-r1
5.7.2-r2
5.7.2.1-r0
5.7.2.1-r1
5.7.2.1-r2
5.7.2.1-r3
5.7.2.1-r4
5.7.3-r0
5.7.3-r1
5.7.3-r2
5.7.3-r3
5.7.3-r4
5.7.3-r5
5.7.3-r6
5.7.3-r7
5.7.3-r8
5.7.3-r9
5.7.3-r10
5.7.3-r11
Alpine:v3.12 / net-snmp
Package
- Name
- net-snmp
- Purl
- pkg:apk/alpine/net-snmp?arch=source
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.8-r0
Affected versions
5.*
5.4.2.1-r0
5.4.2.1-r1
5.4.2.1-r2
5.4.2.1-r3
5.4.2.1-r4
5.5-r0
5.5-r1
5.5-r2
5.5-r3
5.5-r4
5.5-r5
5.6.1-r0
5.6.1-r1
5.6.1-r2
5.7-r0
5.7.1-r0
5.7.1-r1
5.7.1-r2
5.7.1-r3
5.7.1-r4
5.7.1-r5
5.7.1-r6
5.7.1-r7
5.7.2-r0
5.7.2-r1
5.7.2-r2
5.7.2.1-r0
5.7.2.1-r1
5.7.2.1-r2
5.7.2.1-r3
5.7.2.1-r4
5.7.3-r0
5.7.3-r1
5.7.3-r2
5.7.3-r3
5.7.3-r4
5.7.3-r5
5.7.3-r6
5.7.3-r7
5.7.3-r8
5.7.3-r9
5.7.3-r10
5.7.3-r11
Git / github.com/net-snmp/net-snmp
Affected ranges
- Type
- GIT
- Repo
- https://github.com/net-snmp/net-snmp
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v3.*
v3.0
v3.0.1
v3.0.2
v3.0.2.1
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.7.1
v3.0.7.2
v3.1
v3.1.0.1
v3.1.1
v3.1.2
v3.1.2.1
v3.1.3
v3.2
v3.3
v3.4
v3.5
v3.6
v3.6.1
v4.*
v4.0
v4.0.1
v4.1
v4.1.1
v4.2
v5.*
v5.0
v5.0.1
v5.0.10
v5.0.10.2
v5.0.11
v5.0.11.1
v5.0.2
v5.0.3
v5.0.4
v5.0.5
v5.0.6
v5.0.7
v5.0.8
v5.0.9
v5.1
v5.1.1
v5.1.2
v5.1.3
v5.1.4
v5.1.4.1
v5.2
v5.2.1
v5.2.2
v5.2.3
v5.2.4
v5.2.4.pre1
v5.2.4.pre2
v5.2.4.pre3
v5.2.4.rc1
v5.2.4.rc2
v5.2.5
v5.2.5.pre1
v5.2.5.pre2
v5.2.5.rc1
v5.2.5.rc2
v5.2.6
v5.2.6.pre1
v5.2.6.pre2
v5.2.6.rc1
v5.2.6.rc2
v5.2.6.rc3
v5.3
v5.3.1
v5.3.2
v5.3.2.pre1
v5.3.2.rc1
v5.3.3
v5.3.3.pre1
v5.3.3.rc1
v5.3.3.rc2
v5.3.4
v5.3.4.pre1
v5.3.4.pre2
v5.3.4.rc1
v5.4
v5.4.1
v5.4.1.pre1
v5.4.1.pre2
v5.4.1.pre3
v5.4.1.rc1
v5.4.1.rc2
v5.4.1.rc3
v5.4.1.rc4
v5.4.2
v5.4.2.pre1
v5.4.2.pre2
v5.4.2.rc1
v5.4.2.rc2
v5.4.2.rc3
v5.4.3
v5.4.3.pre1
v5.4.3.pre2
v5.4.3.rc1
v5.4.3.rc2
v5.4.3.rc3
v5.4.4
v5.4.4.pre1
v5.4.4.pre2
v5.4.4.rc1
v5.4.5.pre1
v5.4.5.pre2
v5.5
v5.5.1
v5.5.1.rc2
v5.5.2
v5.5.2.pre1
v5.5.2.rc1
v5.5.2.rc2
v5.5.2.rc3
v5.5.pre1
v5.5.pre2
v5.5.pre3
v5.5.rc1
v5.5.rc2
v5.5.rc3
v5.6
v5.6.1
v5.6.1.pre1
v5.6.1.pre2
v5.6.1.rc1
v5.6.1.rc2
v5.6.2
v5.6.2.pre1
v5.6.2.pre2
v5.6.2.rc1
v5.6.2.rc2
v5.6.2.rc3
v5.6.pre1
v5.6.pre2
v5.6.pre3
v5.6.rc1
v5.6.rc2
v5.6.rc3
v5.7
v5.7.1
v5.7.1.pre1
v5.7.1.pre2
v5.7.1.rc1
v5.7.1.rc2
v5.7.1.rc3
v5.7.2
v5.7.2.pre1
v5.7.2.pre2
v5.7.2.pre3
v5.7.2.rc1
v5.7.2.rc2
v5.7.2.rc3
v5.7.3
v5.7.3.pre1
v5.7.3.pre2
v5.7.3.pre3
v5.7.3.pre4
v5.7.3.pre5
v5.7.3.rc1
v5.7.3.rc2
v5.7.3.rc3
v5.7.pre1
v5.7.pre2
v5.7.rc1
v5.7.rc2
v5.7.rc3
v5.8
v5.8.pre1
v5.8.pre2
v5.8.pre3
v5.8.rc1
v5.8.rc2
v5.8.rc3
v5.8.rc4
Database specific
{
"vanir_signatures": [
{
"id": "CVE-2019-20892-382d164f",
"signature_type": "Function",
"target": {
"file": "snmplib/snmp_client.c",
"function": "_clone_pdu_header"
},
"digest": {
"function_hash": "140177603995878720991195551689799129618",
"length": 1698.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9"
},
{
"id": "CVE-2019-20892-5333c152",
"signature_type": "Line",
"target": {
"file": "snmplib/snmpusm.c"
},
"digest": {
"line_hashes": [
"44242992634025686115409545502120928476",
"29672997187899204588248216402839883043",
"40794116973937965067530691483828958859",
"132414243160031557982177198766023395101",
"305725171296417443372987251459616736940",
"175593073472431576251405895329683411445",
"287035748120865746564382429203163938637",
"26915744975623297004250391564358283780",
"103531736579679216853410519603960826911",
"265021316400814718833376606064233556991",
"199748301974971405245209158318257804530",
"196574635798182203035160887345760324828",
"123634601959712454489722241175334570171",
"186331237900610919361576066626885612475",
"254426379512619478811337930659412903544",
"106128518620748907713695403676523221318",
"27455802107373568368114353775119213963",
"180751480742087284200705330639104143788",
"324741654969520679044094707367129846028",
"277034873175065332979035382998353812755",
"312446659726961885171452558104658471296",
"330956671658082276948001970066774507964",
"308620508630188523687389350799315713632",
"231611819546873415251971449950058584428",
"164895656350574865052687335113615663447",
"133363327825204198443282752987767537554",
"183909225123220272610064491435452202287",
"246580444918460405508204234492900917192",
"120133148926244489050891959865597125416",
"84544450504787606045186063168188308394",
"258480738828067149461215868270467629626",
"200281615836911523953703462310525338383",
"154808664236195465024505904650726730672",
"163254431129950724490533090278976514982",
"173325409493447389001449165376081877882",
"63932343873398434131318958950339079706",
"71061357178572249993894223874099466253",
"261802238718059722677624567276162217792",
"87797271725617132585865738775349286592"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9"
},
{
"id": "CVE-2019-20892-57223eb1",
"signature_type": "Function",
"target": {
"file": "snmplib/snmpusm.c",
"function": "usm_malloc_usmStateReference"
},
"digest": {
"function_hash": "159156942628545966179758038413846966703",
"length": 112.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9"
},
{
"id": "CVE-2019-20892-6d822333",
"signature_type": "Function",
"target": {
"file": "snmplib/snmpusm.c",
"function": "usm_free_usmStateReference"
},
"digest": {
"function_hash": "88064372202649158328320107912822422421",
"length": 759.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9"
},
{
"id": "CVE-2019-20892-81da526f",
"signature_type": "Line",
"target": {
"file": "snmplib/snmp_client.c"
},
"digest": {
"line_hashes": [
"137896095288191195591564619137773233729",
"267484301248047181893885793648605803471",
"28906083445685974119879737775352735561",
"225505363771031082041171773542489953799",
"127773062946225179371899670915664919881",
"148527884924071986367937389607784222372",
"229361921883869757802187283366909677861",
"204465326253106719231605866198712229221",
"241137018290310320160035791315241935320",
"98321346952511963867742770113849008706",
"110223236143194705002654652711567162570",
"63927623152965480918902525393645277601",
"73090936670646882255427829759851757884",
"133153891305900436900955798933393314973",
"249273827103702677874325570121234344396",
"229162520623235065258140088734823300782",
"74490835845961382400778818603400143635",
"306358284737391028742449182024578498023"
],
"threshold": 0.9
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9"
},
{
"id": "CVE-2019-20892-d1526ea7",
"signature_type": "Function",
"target": {
"file": "snmplib/snmpusm.c",
"function": "init_usm"
},
"digest": {
"function_hash": "280782372303714082953061013312602056696",
"length": 2108.0
},
"deprecated": false,
"signature_version": "v1",
"source": "https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9"
}
]
}