CVE-2023-2905
N/A
N/A
Summary
Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Cesanta | Mongoose | 7.10 | affected |
| Cesanta | Mongoose | 7.11 | unaffected |
Weaknesses
- CWE-122: CWE-122 Heap-based Buffer Overflow
ADP Enrichment
CVE Program Container
Additional References
- https://takeonme.org/cves/CVE-2023-2905.html
- https://github.com/cesanta/mongoose/pull/2274
- https://github.com/cesanta/mongoose/releases/tag/7.11
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
References
- https://takeonme.org/cves/CVE-2023-2905.html
- https://github.com/cesanta/mongoose/pull/2274
- https://github.com/cesanta/mongoose/releases/tag/7.11
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.