CVE-2018-18765

Published: Oct 28, 2018

Modified: Aug 5, 2024

PUBLISHED

Description

An exploitable arbitrary memory read vulnerability exists in the MQTT packet-parsing functionality of Cesanta Mongoose 6.13. It is a heap-based buffer over-read in mg_mqtt_next_subscribe_topic. A specially crafted MQTT SUBSCRIBE packet can cause an arbitrary out-of-bounds memory read potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this vulnerability.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://twitter.com/thracky/status/1059472674940993541

x_refsource_MISC

https://github.com/TiffanyBlue/PoCbyMyself/blob/master/mongoose6.13/mqtt/Cesanta%20Mongoose%20MQTT%20mg_mqtt_next_subscribe_topic%20heap%20buffer%20overflow.md

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2018-18765

Description

Affected Products

References