PT-2021-17025 · Cesanta+1 · Cesanta Mongoose Https Server+1

Cve-Reporting

Published

2021-02-08

Updated

2021-02-12

CVE-2021-26530

CVSS v3.1

9.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cesanta Mongoose HTTPS server version 7.0

Description The issue concerns a remote out-of-bounds (OOB) write attack via a connection request after exhausting the memory pool. This is related to the mg tls init function in the Cesanta Mongoose HTTPS server when compiled with OpenSSL support.

Recommendations For Cesanta Mongoose HTTPS server version 7.0, consider disabling the mg tls init function as a temporary workaround until a patch is available. Restrict access to the server to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Memory Corruption

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-787

Related Identifiers

CVE-2021-26530

Affected Products

Cesanta Mongoose Https Server

Openssl

PT-2021-17025 · Cesanta+1 · Cesanta Mongoose Https Server+1

CVE-2021-26530

Weakness Enumeration

Related Identifiers

Affected Products

References · 7