OpenCVE

Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Vendors	Products
Cesanta	Mongoose

Configuration 1 [-]

cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383

History

Tue, 19 Nov 2024 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Cesanta Cesanta mongoose
Weaknesses		NVD-CWE-Other
CPEs		cpe:2.3:a:cesanta:mongoose::::::::
Vendors & Products		Cesanta Cesanta mongoose

Mon, 18 Nov 2024 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 18 Nov 2024 09:30:00 +0000

Type	Values Removed	Values Added
Description		Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.
Title		Use of Out-of-range Pointer Offset in Mongoose Web Server library
Weaknesses		CWE-823
References		https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L'}`

MITRE

Status: PUBLISHED

Assigner: Nozomi

Published: 2024-11-18T09:04:24.283Z

Updated: 2024-11-18T13:36:30.205Z

Reserved: 2024-07-31T12:51:37.203Z

Link: CVE-2024-42383

Vulnrichment

Updated: 2024-11-18T13:36:14.838Z

NVD

Status : Analyzed

Published: 2024-11-18T10:15:06.667

Modified: 2024-11-19T17:55:22.020

Link: CVE-2024-42383

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-42383", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "state": "PUBLISHED", "assignerShortName": "Nozomi", "dateReserved": "2024-07-31T12:51:37.203Z", "datePublished": "2024-11-18T09:04:24.283Z", "dateUpdated": "2024-11-18T13:36:30.205Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://github.com/cesanta/mongoose", "defaultStatus": "unaffected", "product": "Mongoose Web Server", "vendor": "Cesanta", "versions": [{"lessThanOrEqual": "7.14", "status": "affected", "version": "0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Gabriele Quagliarella"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field."}], "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-823", "description": "CWE-823 Use of Out-of-range Pointer Offset", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2024-11-18T09:04:24.283Z"}, "references": [{"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "It is suggested to update the Mongoose Web Server library to v7.15."}], "value": "It is suggested to update the Mongoose Web Server library to v7.15."}], "source": {"discovery": "UNKNOWN"}, "title": "Use of Out-of-range Pointer Offset in Mongoose Web Server library", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">It is highly recommended to not expose the vulnerable component inside an untrusted network.</span><br>"}], "value": "It is highly recommended to not expose the vulnerable component inside an untrusted network."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-11-18T13:36:10.699419Z", "id": "CVE-2024-42383", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T13:36:30.205Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-42383", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-11-18T13:36:10.699419Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-11-18T13:36:14.838Z"}}], "cna": {"title": "Use of Out-of-range Pointer Offset in Mongoose Web Server library", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Gabriele Quagliarella"}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.2, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Cesanta", "product": "Mongoose Web Server", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "7.14"}], "collectionURL": "https://github.com/cesanta/mongoose", "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "It is suggested to update the Mongoose Web Server library to v7.15.", "supportingMedia": [{"type": "text/html", "value": "It is suggested to update the Mongoose Web Server library to v7.15.", "base64": false}]}], "references": [{"url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383"}], "workarounds": [{"lang": "en", "value": "It is highly recommended to not expose the vulnerable component inside an untrusted network.", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: rgb(255, 255, 255);\">It is highly recommended to not expose the vulnerable component inside an untrusted network.</span><br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.", "supportingMedia": [{"type": "text/html", "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-823", "description": "CWE-823 Use of Out-of-range Pointer Offset"}]}], "providerMetadata": {"orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "shortName": "Nozomi", "dateUpdated": "2024-11-18T09:04:24.283Z"}}}, "cveMetadata": {"cveId": "CVE-2024-42383", "state": "PUBLISHED", "dateUpdated": "2024-11-18T13:36:30.205Z", "dateReserved": "2024-07-31T12:51:37.203Z", "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c", "datePublished": "2024-11-18T09:04:24.283Z", "assignerShortName": "Nozomi"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*", "matchCriteriaId": "F73D607F-2879-4E92-BD95-E3ADBA7EFB25", "versionEndIncluding": "7.14", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field."}, {"lang": "es", "value": "El uso de la vulnerabilidad de desplazamiento de puntero fuera de rango en Cesanta Mongoose Web Server v7.14 permite escribir un valor de byte NULL m\u00e1s all\u00e1 del espacio de memoria dedicado para el campo de nombre de host."}], "id": "CVE-2024-42383", "lastModified": "2024-11-19T17:55:22.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 2.5, "source": "prodsec@nozominetworks.com", "type": "Secondary"}]}, "published": "2024-11-18T10:15:06.667", "references": [{"source": "prodsec@nozominetworks.com", "tags": ["Third Party Advisory"], "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383"}], "sourceIdentifier": "prodsec@nozominetworks.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-823"}], "source": "prodsec@nozominetworks.com", "type": "Secondary"}]}