CyberSec.Space Logo
CVEブラウザに戻る

CVE-2018-20353

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1730%
EPSS Percentile11.57th
Published2019年6月10日
Last Modified2024年11月21日

Vulnerability Description

An invalid read of 8 bytes due to a use-after-free vulnerability during a "NULL test" in the mg_http_get_proto_data function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.

Affected Platforms (CPE)

📦
Cesanta

Mongoose

<= 6.13

References & Advisories

🔗 https://github.com/insi2304/mongoose-6.13-fuzz/blob/master/Simplest_Web_Server_Use_After_Free-read-mg_http_get_proto_data5932.png
🔗 https://github.com/insi2304/mongoose-6.13-fuzz/blob/master/Simplest_Web_Server_Use_After_Free-read-mg_http_get_proto_data5932.png

関連する脆弱性情報

CVE-2018-203549.8

An invalid read of 8 bytes due to a use-after-free vulnerability during a "return" in the mg_http_get_proto_data function in mongo...

CVE-2018-203559.8

An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c i...

CVE-2018-203569.8

An invalid read of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in...

CVE-2019-129519.8

An issue was discovered in Mongoose before 6.15. The parse_mqtt() function in mg_mqtt.c has a critical heap-based buffer overflow.