CVE-2019-20892

Name
CVE-2019-20892
Description
net-snmp before 5.8.1.pre1 has a double free in usm_free_usmStateReference in snmplib/snmpusm.c via an SNMPv3 GetBulk request. NOTE: this affects net-snmp packages shipped to end users by multiple Linux distributions, but might not affect an upstream release.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Exploit https://sourceforge.net/p/net-snmp/bugs/2923/
Exploit https://bugzilla.redhat.com/show_bug.cgi?id=1663027
Exploit https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/1877027
Patch https://github.com/net-snmp/net-snmp/commit/5f881d3bf24599b90d67a45cae7a3eb099cd71c9
Exploit http://www.openwall.com/lists/oss-security/2020/06/25/4
Third Party Advisory https://usn.ubuntu.com/4410-1/
GENTOO https://security.gentoo.org/glsa/202008-12
MISC https://www.oracle.com/security-alerts/cpujan2021.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:net-snmp:net-snmp:*:*:*:*:*:*:*:* net-snmp >= None <= 5.8

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
net-snmp 3.12-main 5.8-r3 Carlo Landmeter <clandmeter@gmail.com> fixed
net-snmp 3.12-main 5.8-r0 None fixed
net-snmp 3.11-main 5.8-r3 Carlo Landmeter <clandmeter@gmail.com> fixed
net-snmp 3.11-main 5.8-r0 None fixed