CVE-2024-42385

Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.

CVSS v3 7.0 HIGH

7.0^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.0 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42385	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*

History

19 Nov 2024, 17:54

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~4.0~~	v2 : unknown v3 : 7.0
CPE		cpe:2.3:a:cesanta:mongoose::::::::
References	~~() https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42385 -~~	() https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42385 - Third Party Advisory
CWE		NVD-CWE-Other
First Time		Cesanta Cesanta mongoose

18 Nov 2024, 17:11

Type	Values Removed	Values Added
Summary		(es) La vulnerabilidad de neutralización incorrecta de delimitadores en Cesanta Mongoose Web Server v7.14 permite activar una escritura en memoria fuera de los límites si el certificado PEM contiene caracteres inesperados.

18 Nov 2024, 10:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-11-18 10:15

Updated : 2024-11-19 17:54

NVD link : CVE-2024-42385

Mitre link : CVE-2024-42385

CVE.ORG link : CVE-2024-42385

JSON object : View

Products Affected

cesanta

mongoose

CWE

NVD-CWE-Other CWE-140

Improper Neutralization of Delimiters

{"id": "CVE-2024-42385", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.0, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.0}, {"type": "Secondary", "source": "prodsec@nozominetworks.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.0, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 0.3}]}, "published": "2024-11-18T10:15:07.187", "references": [{"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42385", "tags": ["Third Party Advisory"], "source": "prodsec@nozominetworks.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}, {"type": "Secondary", "source": "prodsec@nozominetworks.com", "description": [{"lang": "en", "value": "CWE-140"}]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters."}, {"lang": "es", "value": "La vulnerabilidad de neutralizaci\u00f3n incorrecta de delimitadores en Cesanta Mongoose Web Server v7.14 permite activar una escritura en memoria fuera de los l\u00edmites si el certificado PEM contiene caracteres inesperados."}], "lastModified": "2024-11-19T17:54:31.197", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F73D607F-2879-4E92-BD95-E3ADBA7EFB25", "versionEndIncluding": "7.14"}], "operator": "OR"}]}], "sourceIdentifier": "prodsec@nozominetworks.com"}