CVE-2023-2905

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISHparsed message with a variable length header, Cesanta Mongoose, anembeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AHACNA
---
---
CVEADP
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 47%
VendorProductVersion
cesantamongoose
7.10
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/cesanta/mongoose/pull/2274
https://github.com/cesanta/mongoose/releases/tag/7.11
https://takeonme.org/cves/CVE-2023-2905.html
https://github.com/cesanta/mongoose/pull/2274
https://github.com/cesanta/mongoose/releases/tag/7.11
https://takeonme.org/cves/CVE-2023-2905.html