CVE-2020-28951

Name of the Vulnerable Software and Affected Versions OpenWrt versions 18.06.0 through 18.06.8 OpenWrt versions 19.0.0 through 19.07.4

Description The issue is related to a use after free error in the libuci library of OpenWrt. This error can occur when using malicious package names, specifically in the uci parse package function in file.c and the uci strdup function in util.c. The exploitation of this issue may allow a remote attacker to impact the confidentiality, integrity, and availability of protected information.

Recommendations For OpenWrt versions 18.06.0 through 18.06.8, update to version 18.06.9 or later. For OpenWrt versions 19.0.0 through 19.07.4, update to version 19.07.5 or later. As a temporary workaround, consider restricting the use of malicious package names to minimize the risk of exploitation.