CVE-2018-18764

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose version 6.13

Description An arbitrary memory read issue exists in the MQTT packet-parsing functionality. It is a heap-based buffer over-read in a parse mqtt getu16 call. A specially crafted MQTT SUBSCRIBE packet can cause an out-of-bounds memory read, potentially resulting in information disclosure and denial of service. An attacker needs to send a specially crafted MQTT packet over the network to trigger this issue.

Recommendations For Cesanta Mongoose version 6.13, consider restricting access to the MQTT packet-parsing functionality until a patch is available. As a temporary workaround, avoid using the parse mqtt getu16 call in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this issue.