SB2025011371 - Multiple vulnerabilities in Mongoose

Main Vulnerability Database SB2025011371

SB2025011371 - Multiple vulnerabilities in Mongoose

Published: January 13, 2025 Updated: June 23, 2025

Security Bulletin ID SB2025011371

Severity

High

Patch available

YES

Number of vulnerabilities 10

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 10 secuirty vulnerabilities.

1) Type conversion (CVE-ID: CVE-2024-42384)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Integer Overflow or Wraparound vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

2) Input validation error (CVE-ID: CVE-2024-42392)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an infinite loop bug if the input string contains unexpected characters.

3) Input validation error (CVE-ID: CVE-2024-42391)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

4) Input validation error (CVE-ID: CVE-2024-42390)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

5) Input validation error (CVE-ID: CVE-2024-42389)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

6) Input validation error (CVE-ID: CVE-2024-42388)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

7) Input validation error (CVE-ID: CVE-2024-42387)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and force the application to read unintended heap memory space.

8) Input validation error (CVE-ID: CVE-2024-42386)

The vulnerability allows a remote non-authenticated attacker to perform a denial of service (DoS) attack.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows an attacker to send an unexpected TLS packet and produce a segmentation fault on the application.

9) Input validation error (CVE-ID: CVE-2024-42385)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Improper Neutralization of Delimiters vulnerability in Cesanta Mongoose Web Server v7.14 allows to trigger an out-of-bound memory write if the PEM certificate contains unexpected characters.

10) Input validation error (CVE-ID: CVE-2024-42383)

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.

Remediation

Install update from vendor's website.

References