Cesanta: >> Mongoose >> 6.16 Security Vulnerabilities
The HTTP server in Mongoose before 7.10 accepts requests containing negative Content-Length headers. By sending a single attack payload over TCP, an attacker can cause an infinite loop in which the server continuously reparses that payload, and does not respond to any other requests.
CVSS Score
7.5
EPSS Score
0.001
Published
2023-06-23
This affects the package cesanta/mongoose before 7.6. The unsafe handling of file names during upload using mg_http_upload() method may enable attackers to write files to arbitrary locations outside the designated target folder.
CVSS Score
9.8
EPSS Score
0.004
Published
2022-02-18
The mg_tls_init function in Cesanta Mongoose HTTPS server 7.0 and 6.7-6.18 (compiled with mbedTLS support) is vulnerable to remote OOB write attack via connection request after exhausting memory pool.
CVSS Score
9.1
EPSS Score
0.003
Published
2021-02-08
An integer overflow in parse_mqtt in mongoose.c in Cesanta Mongoose 6.16 allows an attacker to achieve remote DoS (infinite loop), or possibly cause an out-of-bounds write, by sending a crafted MQTT protocol packet.
CVSS Score
9.8
EPSS Score
0.03
Published
2019-11-26
Page 2