Main Vulnerability Database SB2023080960

SB2023080960 - Out-of-bounds write in Mongoose

Published: August 9, 2023 Updated: June 23, 2025

Security Bulletin ID SB2023080960

Severity

High

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Adjecent network

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Out-of-bounds write (CVE-ID: CVE-2023-2905)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Due to a failure in validating the length of a provided MQTT_CMD_PUBLISH parsed message with a variable length header, Cesanta Mongoose, an embeddable web server, version 7.10 is susceptible to a heap-based buffer overflow vulnerability in the default configuration. Version 7.9 and prior does not appear to be vulnerable. This issue is resolved in version 7.11.

Remediation

Install update from vendor's website.

References

https://github.com/cesanta/mongoose/pull/2274
https://github.com/cesanta/mongoose/releases/tag/7.11
https://takeonme.org/cves/CVE-2023-2905.html