CyberSec.Space Logo
Back to CVE Browser

CVE-2018-20355

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1560%
EPSS Percentile19.74th
PublishedJun 10, 2019
Last ModifiedNov 21, 2024

Vulnerability Description

An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.

Affected Platforms (CPE)

📦
Cesanta

Mongoose

<= 6.13

References & Advisories

🔗 https://github.com/insi2304/mongoose-6.13-fuzz/blob/master/Simplest_Web_Server_Use_After_Free-mg_http_free_proto_data_cgi.png
🔗 https://github.com/insi2304/mongoose-6.13-fuzz/blob/master/Simplest_Web_Server_Use_After_Free-mg_http_free_proto_data_cgi.png

Related Vulnerabilities

CVE-2018-203539.8

An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mo...

CVE-2018-203549.8

An invalid read of 8 bytes due to a use-after-free vulnerability during a "return" in the mg_http_get_proto_data function in mongo...

CVE-2018-203569.8

An invalid read of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in...

CVE-2019-129519.8

An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.