Vulnerabilities > CVE-2018-20355 - Use After Free vulnerability in Cesanta Mongoose

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

cesanta

CWE-416

NVD

Published: 2019-06-10

Updated: 2019-06-11

Summary

An invalid write of 8 bytes due to a use-after-free vulnerability in the mg_http_free_proto_data_cgi function call in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.13 and earlier allows a denial of service (application crash) or remote code execution.

Vulnerable Configurations

Part	Description	Count
Application	Cesanta Cesanta Mongoose 6.0 Cesanta Mongoose 6.1 Cesanta Mongoose 6.2 Cesanta Mongoose 6.3 Cesanta Mongoose 6.4 Cesanta Mongoose 6.5 Cesanta Mongoose 6.6 Cesanta Mongoose 6.7 Cesanta Mongoose 6.8 Cesanta Mongoose 6.9 Cesanta Mongoose 6.10 Cesanta Mongoose 6.11 Cesanta Mongoose 6.12 Cesanta Mongoose 6.13	14

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

References

https://github.com/insi2304/mongoose-6.13-fuzz/blob/master/Simplest_Web_Server_Use_After_Free-mg_http_free_proto_data_cgi.png