CVE-2023-2905

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
Configurations

Configuration 1 (hide)

cpe:2.3:a:cesanta:mongoose:7.10:*:*:*:*:*:*:*

History

16 Aug 2023, 20:49

Type Values Removed Values Added
First Time Cesanta
Cesanta mongoose
CPE cpe:2.3:a:cesanta:mongoose:7.10:*:*:*:*:*:*:*
References (MISC) https://github.com/cesanta/mongoose/pull/2274 - (MISC) https://github.com/cesanta/mongoose/pull/2274 - Patch
References (MISC) https://takeonme.org/cves/CVE-2023-2905.html - (MISC) https://takeonme.org/cves/CVE-2023-2905.html - Exploit, Patch, Third Party Advisory
References (MISC) https://github.com/cesanta/mongoose/releases/tag/7.11 - (MISC) https://github.com/cesanta/mongoose/releases/tag/7.11 - Release Notes
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 8.8
CWE CWE-787

09 Aug 2023, 05:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-08-09 05:15

Updated : 2024-02-28 20:33


NVD link : CVE-2023-2905

Mitre link : CVE-2023-2905

CVE.ORG link : CVE-2023-2905


JSON object : View

Products Affected

cesanta

  • mongoose
CWE
CWE-787

Out-of-bounds Write

CWE-122

Heap-based Buffer Overflow