CVE-2019-20892: Double Free
First published: Thu Jun 25 2020(Updated: )
net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Net-snmp Net-snmp | <=5.8 | |
| Oracle ZFS Storage Appliance Kit | =8.8 | |
| ubuntu/net-snmp | <5.8+dfsg-2ubuntu2.1 | 5.8+dfsg-2ubuntu2.1 |
| debian/net-snmp | 5.9+dfsg-4+deb11u1 5.9.3+dfsg-2 5.9.4+dfsg-1.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/06/25/4
- https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
- https://bugzilla.redhat.com/show_bug.cgi?id=1663027
- https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
- https://security.gentoo.org/glsa/202008-12
- https://sourceforge.net/p/net-snmp/bugs/2923/
- https://usn.ubuntu.com/4410-1/
- https://www.oracle.com/security-alerts/cpujan2021.html
- https://www.openwall.com/lists/oss-security/2020/06/25/4
- https://ubuntu.com/security/notices/USN-4410-1
- https://www.cve.org/CVERecord?id=CVE-2019-20892
- https://nvd.nist.gov/vuln/detail/CVE-2019-20892
- https://launchpad.net/bugs/cve/CVE-2019-20892
- https://security-tracker.debian.org/tracker/CVE-2019-20892
- https://github.com/net-snmp/net-snmp/commit/92ccd5a82a019fbfa835cc8ab2294cf0ca48c8f2
- https://github.com/net-snmp/net-snmp/commit/adc9b71aba9168ec64149345ea37a1acc11875c6
- https://github.com/net-snmp/net-snmp/commit/7384a8b550d4ed4a00e41b72229cfcc124926b06
- https://github.com/net-snmp/net-snmp/commit/39381c4d20dd8042870c28ae3b0c16291e50b705
- https://github.com/net-snmp/net-snmp/commit/87bd90d04f20dd3f73e3e7e631a442ccd419b9d3
- https://ubuntu.com/security/CVE-2019-20892
- https://salsa.debian.org/debian/net-snmp/-/merge_requests/3
- https://github.com/net-snmp/net-snmp/compare/1a0dbe19bf2787bb5bea913f210a9a5eb4c0c80c...e207b8113260fd7d84df0ebdb66925ab70da29b2
Frequently Asked Questions
What is CVE-2019-20892?
CVE-2019-20892 is a vulnerability in net-snmp before 5.8.1.pre1 that allows for a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request.
How does CVE-2019-20892 affect net-snmp?
CVE-2019-20892 affects net-snmp packages shipped to end users by multiple Linux distributions, but it might not affect an upstream release.
What is the severity of CVE-2019-20892?
CVE-2019-20892 has a severity level of medium with a CVSS score of 6.5.
How can I fix CVE-2019-20892?
To fix CVE-2019-20892, users should update to net-snmp version 5.8.1.pre1 or later.
What is the Common Weakness Enumeration (CWE) ID for CVE-2019-20892?
CVE-2019-20892 is associated with CWE-415, which is a double free vulnerability.
- collector/nvd-index
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/software-canonical-lookup
- agent/remedy
- agent/first-publish-date
- agent/description
- agent/author
- collector/nvd-cve
- source/NVD
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- agent/event
- agent/references
- agent/tags
- agent/trending
- vendor/net-snmp
- canonical/net-snmp net-snmp
- version/net-snmp net-snmp/5.8
- vendor/oracle
- canonical/oracle zfs storage appliance kit
- version/oracle zfs storage appliance kit/8.8
- package-manager/ubuntu
- package-manager/debian