CVE-2021-36980: 
Jenkins vulnerability analysis and mitigation

CVE-2021-36980 affects Open vSwitch (openvswitch) versions 2.11.0 through 2.15.0. The vulnerability is a use-after-free issue in the decodeNXASTRAWENCAP function, which is called from ofpactdecode and ofpactsdecode during the decoding of a RAWENCAP action (NVD).

The vulnerability is classified as a heap-use-after-free WRITE vulnerability. The issue occurs when decodeedprop() might re-allocate ofpbuf if there is insufficient space, but the function 'decodeNXASTRAW_ENCAP' continues to use the old pointer to the 'encap' structure, leading to write-after-free and incorrect decoding. The vulnerability has a CVSS v3.1 Base Score of 5.5 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (OSS-Fuzz).

The vulnerability can lead to a heap-use-after-free condition, which could potentially result in program crashes or denial of service. The CVSS scoring indicates that while the vulnerability requires local access and user interaction, it can lead to high availability impact with no confidentiality or integrity impacts (NVD).

The vulnerability has been fixed through multiple commits in the Open vSwitch repository. The fix involves getting a new pointer before using it in the decodeNXASTRAW_ENCAP function. Users should upgrade to versions after 2.15.0 which contain the security fixes (Gentoo Advisory).