CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2905 – Cesanta Mongoose MQTT Message Parsing Heap Overflow
https://notcve.org/view.php?id=CVE-2023-2905
09 Aug 2023 — Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11. Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddabl... • https://github.com/cesanta/mongoose/pull/2274 • CWE-122: Heap-based Buffer Overflow CWE-787: Out-of-bounds Write •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-34188
https://notcve.org/view.php?id=CVE-2023-34188
23 Jun 2023 — The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests. • https://blog.narfindustries.com/blog/narf-discovers-critical-vulnerabilities-in-cesanta-mongoose-http-server • CWE-1284: Improper Validation of Specified Quantity in Input •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30087
https://notcve.org/view.php?id=CVE-2023-30087
09 May 2023 — Buffer Overflow vulnerability found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_mk_string function in mjs.c. • https://github.com/cesanta/mjs/issues/244 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-30088
https://notcve.org/view.php?id=CVE-2023-30088
09 May 2023 — An issue found in Cesanta MJS v.1.26 allows a local attacker to cause a denial of service via the mjs_execute function in mjs.c. • https://github.com/cesanta/mjs/issues/243 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-29570
https://notcve.org/view.php?id=CVE-2023-29570
24 Apr 2023 — Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via mjs_ffi_cb_free at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS). • https://github.com/cesanta/mjs/issues/240 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-29569
https://notcve.org/view.php?id=CVE-2023-29569
14 Apr 2023 — Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via ffi_cb_impl_wpwwwww at src/mjs_ffi.c. This vulnerability can lead to a Denial of Service (DoS). • https://github.com/cesanta/mjs/issues/239 • CWE-476: NULL Pointer Dereference •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 2CVE-2023-29571
https://notcve.org/view.php?id=CVE-2023-29571
12 Apr 2023 — Cesanta MJS v2.20.0 was discovered to contain a SEGV vulnerability via gc_sweep at src/mjs_gc.c. This vulnerability can lead to a Denial of Service (DoS). • https://github.com/cesanta/mjs/issues/241 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-36535
https://notcve.org/view.php?id=CVE-2021-36535
03 Feb 2023 — Buffer Overflow vulnerability in Cesanta mJS 1.26 allows remote attackers to cause a denial of service via crafted .js file to mjs_set_errorf. • https://github.com/cesanta/mjs/issues/175 • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33443
https://notcve.org/view.php?id=CVE-2021-33443
26 Jul 2022 — An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is stack buffer overflow in mjs_execute() in mjs.c. Se ha detectado un problema en mjs (mJS: motor de JavaScript restringido), ES6 (versión 6 de JavaScript). Se presenta un desbordamiento del búfer de pila en la función mjs_execute() en el archivo mjs.c. • https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d • CWE-787: Out-of-bounds Write •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-33444
https://notcve.org/view.php?id=CVE-2021-33444
26 Jul 2022 — An issue was discovered in mjs (mJS: Restricted JavaScript engine), ES6 (JavaScript version 6). There is NULL pointer dereference in getprop_builtin_foreign() in mjs.c. Se ha detectado un problema en mjs (mJS: motor de JavaScript restringido), ES6 (versión 6 de JavaScript). Se presenta una desreferencia de puntero NULL en la función getprop_builtin_foreign() en el archivo mjs.c. • https://gist.github.com/Clingto/bb632c0c463f4b2c97e4f65f751c5e6d • CWE-476: NULL Pointer Dereference •