CVE-2018-18765

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose version 6.13

Description A memory read issue exists in the MQTT packet-parsing functionality, specifically a heap-based buffer over-read in mg mqtt next subscribe topic(). This can be triggered by a specially crafted MQTT SUBSCRIBE packet, potentially leading to information disclosure and denial of service. An attacker can exploit this by sending a crafted MQTT packet over the network.

Recommendations For Cesanta Mongoose version 6.13, as a temporary workaround, consider restricting access to the mg mqtt next subscribe topic() function until a patch is available. Avoid processing specially crafted MQTT SUBSCRIBE packets in the affected mg mqtt next subscribe topic() function to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.