CVE-2017-2895

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose version 6.8

Description An arbitrary memory read issue exists in the MQTT packet parsing functionality. A specially crafted MQTT SUBSCRIBE packet can cause an out-of-bounds memory read, potentially resulting in information disclosure and denial of service. An attacker can trigger this issue by sending a specially crafted MQTT packet over the network.

Recommendations For Cesanta Mongoose version 6.8, consider restricting access to the MQTT packet parsing functionality until a patch is available. As a temporary workaround, avoid using the affected MQTT SUBSCRIBE packet functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.