CVE-2017-7185 (GCVE-0-2017-7185)

Vulnerability from cvelistv5 – Published: 2017-04-10 15:00 – Updated: 2024-08-05 15:56

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	https://www.compass-security.com/fileadmin/Datein…	x_refsource_MISC
	http://www.securityfocus.com/bid/97370	vdb-entryx_refsource_BID
	http://www.securityfocus.com/archive/1/540355/100…	mailing-listx_refsource_BUGTRAQ
	https://github.com/cesanta/mongoose-os/commit/042…	x_refsource_CONFIRM
	https://github.com/cesanta/mongoose/commit/b8402e…	x_refsource_CONFIRM
	https://www.exploit-db.com/exploits/41826/	exploitx_refsource_EXPLOIT-DB

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T15:56:36.110Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
          },
          {
            "name": "97370",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/97370"
          },
          {
            "name": "20170404 CVE-2017-7185 - Mongoose OS - Use-after-free / Denial of Service",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
          },
          {
            "name": "41826",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/41826/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2017-04-03T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-09T18:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
        },
        {
          "name": "97370",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/97370"
        },
        {
          "name": "20170404 CVE-2017-7185 - Mongoose OS - Use-after-free / Denial of Service",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
        },
        {
          "name": "41826",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/41826/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-7185",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt",
              "refsource": "MISC",
              "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
            },
            {
              "name": "97370",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/97370"
            },
            {
              "name": "20170404 CVE-2017-7185 - Mongoose OS - Use-after-free / Denial of Service",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
            },
            {
              "name": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b",
              "refsource": "CONFIRM",
              "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
            },
            {
              "name": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc",
              "refsource": "CONFIRM",
              "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
            },
            {
              "name": "41826",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/41826/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2017-7185",
    "datePublished": "2017-04-10T15:00:00",
    "dateReserved": "2017-03-19T00:00:00",
    "dateUpdated": "2024-08-05T15:56:36.110Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cesanta:mongoose_embedded_web_server_library:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"6.7\", \"matchCriteriaId\": \"C372E1D0-CC94-4C7F-8EDE-A25656D73A28\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:cesanta:mongoose_os:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"1.2\", \"matchCriteriaId\": \"39C742BC-F245-41E6-8332-9915E2EB0963\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad use-after-free en la funci\\u00f3n mg_http_multipart_wait_for_boundary en mongoose.c en Cesanta Mongoose Embedded Web Server Library 6.7 y anteriores y Mongoose OS 1.2 y anteriores permite a los atacantes remotos provocar una denegaci\\u00f3n de servicio (ca\\u00edda) a trav\\u00e9s de un multipart/form-data POST solicitud sin una cadena de l\\u00edmite MIME.\"}]",
      "id": "CVE-2017-7185",
      "lastModified": "2024-11-21T03:31:20.163",
      "metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:N/A:P\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": true, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2017-04-10T15:59:00.503",
      "references": "[{\"url\": \"http://www.securityfocus.com/archive/1/540355/100/0/threaded\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/bid/97370\", \"source\": \"cve@mitre.org\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc\", \"source\": \"cve@mitre.org\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt\", \"source\": \"cve@mitre.org\", \"tags\": [\"Exploit\", \"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/41826/\", \"source\": \"cve@mitre.org\"}, {\"url\": \"http://www.securityfocus.com/archive/1/540355/100/0/threaded\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/97370\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Exploit\", \"Technical Description\", \"Third Party Advisory\"]}, {\"url\": \"https://www.exploit-db.com/exploits/41826/\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "cve@mitre.org",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-416\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2017-7185\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-04-10T15:59:00.503\",\"lastModified\":\"2025-04-20T01:37:25.860\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad use-after-free en la funci\u00f3n mg_http_multipart_wait_for_boundary en mongoose.c en Cesanta Mongoose Embedded Web Server Library 6.7 y anteriores y Mongoose OS 1.2 y anteriores permite a los atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de un multipart/form-data POST solicitud sin una cadena de l\u00edmite MIME.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-416\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cesanta:mongoose_embedded_web_server_library:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"6.7\",\"matchCriteriaId\":\"C372E1D0-CC94-4C7F-8EDE-A25656D73A28\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:cesanta:mongoose_os:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"1.2\",\"matchCriteriaId\":\"39C742BC-F245-41E6-8332-9915E2EB0963\"}]}]}],\"references\":[{\"url\":\"http://www.securityfocus.com/archive/1/540355/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/97370\",\"source\":\"cve@mitre.org\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/41826/\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/archive/1/540355/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/97370\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]},{\"url\":\"https://www.exploit-db.com/exploits/41826/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

FKIE_CVE-2017-7185

Vulnerability from fkie_nvd - Published: 2017-04-10 15:59 - Updated: 2025-04-20 01:37

Severity ?

7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Summary

References

URL	Tags
cve@mitre.org	http://www.securityfocus.com/archive/1/540355/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/97370	Third Party Advisory, VDB Entry
cve@mitre.org	https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b	Patch, Third Party Advisory
cve@mitre.org	https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc	Patch, Third Party Advisory
cve@mitre.org	https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt	Exploit, Technical Description, Third Party Advisory
cve@mitre.org	https://www.exploit-db.com/exploits/41826/
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/540355/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/97370	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc	Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt	Exploit, Technical Description, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://www.exploit-db.com/exploits/41826/

Impacted products

	Vendor	Product	Version
	cesanta	mongoose_embedded_web_server_library	*
	cesanta	mongoose_os	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:cesanta:mongoose_embedded_web_server_library:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C372E1D0-CC94-4C7F-8EDE-A25656D73A28",
              "versionEndIncluding": "6.7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:cesanta:mongoose_os:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "39C742BC-F245-41E6-8332-9915E2EB0963",
              "versionEndIncluding": "1.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad use-after-free en la funci\u00f3n mg_http_multipart_wait_for_boundary en mongoose.c en Cesanta Mongoose Embedded Web Server Library 6.7 y anteriores y Mongoose OS 1.2 y anteriores permite a los atacantes remotos provocar una denegaci\u00f3n de servicio (ca\u00edda) a trav\u00e9s de un multipart/form-data POST solicitud sin una cadena de l\u00edmite MIME."
    }
  ],
  "id": "CVE-2017-7185",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": true,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-04-10T15:59:00.503",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97370"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.exploit-db.com/exploits/41826/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/97370"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Exploit",
        "Technical Description",
        "Third Party Advisory"
      ],
      "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.exploit-db.com/exploits/41826/"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-416"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

CNVD-2017-05422

Vulnerability from cnvd - Published: 2017-04-26

Title

Cesanta Mongoose Embedded Web Server Library和Mongoose OS内存错误引用漏洞

Description

Cesanta Mongoose Embedded Web Server Library和Mongoose OS都是美国Cesanta公司的产品。前者是一个用于嵌入式Web服务器的网络库；后者是一套开源的用于物联网的操作系统。 Cesanta Mongoose Embedded Web Server Library 6.7及之前的版本和Mongoose OS 1.2及之前的版本中的mongoose.c文件的'mg_http_multipart_wait_for_boundary'函数存在内存错误引用漏洞。远程攻击者可通过发送不带有MIME边界字符串的multipart/form-data POST请求利用该漏洞造成拒绝服务（崩溃）。

Severity

中

Patch Name

Cesanta Mongoose Embedded Web Server Library和Mongoose OS内存错误引用漏洞的补丁

Patch Description

Formal description

目前厂商已经发布了升级补丁以修复此安全问题，补丁获取链接: https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc

Reference

http://www.securityfocus.com/archive/1/archive/1/540355/100/0/threaded

Impacted products

Name
['Cesanta Mongoose Embedded Web Server Library <=6.7', 'Cesanta Mongoose OS <=1.2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "97370"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-7185",
      "cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7185"
    }
  },
  "description": "Cesanta Mongoose Embedded Web Server Library\u548cMongoose OS\u90fd\u662f\u7f8e\u56fdCesanta\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u4e2a\u7528\u4e8e\u5d4c\u5165\u5f0fWeb\u670d\u52a1\u5668\u7684\u7f51\u7edc\u5e93\uff1b\u540e\u8005\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7528\u4e8e\u7269\u8054\u7f51\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nCesanta Mongoose Embedded Web Server Library 6.7\u53ca\u4e4b\u524d\u7684\u7248\u672c\u548cMongoose OS 1.2\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u7684mongoose.c\u6587\u4ef6\u7684\u0027mg_http_multipart_wait_for_boundary\u0027\u51fd\u6570\u5b58\u5728\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u4e0d\u5e26\u6709MIME\u8fb9\u754c\u5b57\u7b26\u4e32\u7684multipart/form-data POST\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u5d29\u6e83\uff09\u3002",
  "discovererName": "COMPASS SECURITY",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6b64\u5b89\u5168\u95ee\u9898\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5:\r\nhttps://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-05422",
  "openTime": "2017-04-26",
  "patchDescription": "Cesanta Mongoose Embedded Web Server Library\u548cMongoose OS\u90fd\u662f\u7f8e\u56fdCesanta\u516c\u53f8\u7684\u4ea7\u54c1\u3002\u524d\u8005\u662f\u4e00\u4e2a\u7528\u4e8e\u5d4c\u5165\u5f0fWeb\u670d\u52a1\u5668\u7684\u7f51\u7edc\u5e93\uff1b\u540e\u8005\u662f\u4e00\u5957\u5f00\u6e90\u7684\u7528\u4e8e\u7269\u8054\u7f51\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nCesanta Mongoose Embedded Web Server Library 6.7\u53ca\u4e4b\u524d\u7684\u7248\u672c\u548cMongoose OS 1.2\u53ca\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u7684mongoose.c\u6587\u4ef6\u7684\u0027mg_http_multipart_wait_for_boundary\u0027\u51fd\u6570\u5b58\u5728\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u901a\u8fc7\u53d1\u9001\u4e0d\u5e26\u6709MIME\u8fb9\u754c\u5b57\u7b26\u4e32\u7684multipart/form-data POST\u8bf7\u6c42\u5229\u7528\u8be5\u6f0f\u6d1e\u9020\u6210\u62d2\u7edd\u670d\u52a1\uff08\u5d29\u6e83\uff09\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "Cesanta Mongoose Embedded Web Server Library\u548cMongoose OS\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "Cesanta Mongoose Embedded Web Server Library  \u003c=6.7",
      "Cesanta Mongoose OS \u003c=1.2"
    ]
  },
  "referenceLink": "http://www.securityfocus.com/archive/1/archive/1/540355/100/0/threaded",
  "serverity": "\u4e2d",
  "submitTime": "2017-04-12",
  "title": "Cesanta Mongoose Embedded Web Server Library\u548cMongoose OS\u5185\u5b58\u9519\u8bef\u5f15\u7528\u6f0f\u6d1e"
}

GSD-2017-7185

Vulnerability from gsd - Updated: 2023-12-13 01:21

Details

Aliases

CVE-2017-7185

Aliases

CVE-2017-7185

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-7185",
    "description": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.",
    "id": "GSD-2017-7185",
    "references": [
      "https://packetstormsecurity.com/files/cve/CVE-2017-7185"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-7185"
      ],
      "details": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.",
      "id": "GSD-2017-7185",
      "modified": "2023-12-13T01:21:07.206158Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-7185",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt",
            "refsource": "MISC",
            "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
          },
          {
            "name": "97370",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/97370"
          },
          {
            "name": "20170404 CVE-2017-7185 - Mongoose OS - Use-after-free / Denial of Service",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
          },
          {
            "name": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b",
            "refsource": "CONFIRM",
            "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
          },
          {
            "name": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc",
            "refsource": "CONFIRM",
            "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
          },
          {
            "name": "41826",
            "refsource": "EXPLOIT-DB",
            "url": "https://www.exploit-db.com/exploits/41826/"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:cesanta:mongoose_os:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cesanta:mongoose_embedded_web_server_library:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-7185"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-416"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt",
              "refsource": "MISC",
              "tags": [
                "Exploit",
                "Technical Description",
                "Third Party Advisory"
              ],
              "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
            },
            {
              "name": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
            },
            {
              "name": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc",
              "refsource": "CONFIRM",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
            },
            {
              "name": "97370",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/97370"
            },
            {
              "name": "41826",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "https://www.exploit-db.com/exploits/41826/"
            },
            {
              "name": "20170404 CVE-2017-7185 - Mongoose OS - Use-after-free / Denial of Service",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": true,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 3.6
        }
      },
      "lastModifiedDate": "2018-10-09T20:01Z",
      "publishedDate": "2017-04-10T15:59Z"
    }
  }
}

VAR-201704-1519

Vulnerability from variot - Updated: 2023-12-18 13:14

Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string. Cesanta Mongoose Embedded Web Server Library and Mongoose OS are both products of Cesanta, USA. The former is a network library for embedded Web servers; the latter is an open source operating system for the Internet of Things. Mongoose OS is prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the server, resulting in a denial-of-service condition. #############################################################

COMPASS SECURITY ADVISORY

https://www.compass-security.com/en/research/advisories/

Product: Mongoose OS

Vendor: Cesanta

CVE ID: CVE-2017-7185

CSNC ID: CSNC-2017-003

Subject: Use-after-free / Denial of Service

Risk: Medium

Effect: Remotely exploitable

Authors:

Philipp Promeuschel philipp.promeuschel@compass-security.com

Carel van Rooyen carel.vanrooyen@compass-security.com

Stephan Sekula stephan.sekula@compass-security.com

Date: 2017-04-03

Introduction:

Cesanta's Mongoose OS [1] - an open source operating system for the Internet of Things. Supported micro controllers: * ESP32 * ESP8266 * STM32 * TI CC3200

Additionally, Amazon AWS IoT is integrated for Cloud connectivity. Developers can write applications in C or JavaScript (the latter by using the v7 component of Mongoose OS).

Affected versions:

Vulnerable: * <= Release 1.2 Not vulnerable: * Patched in current dev / master branch Not tested: * N/A

Technical Description

The handling of HTTP-Multipart boundary [3] headers does not properly close connections when malformed requests are sent to the Mongoose server. This leads to a use-after-free/null-pointer-de-reference vulnerability, causing the Mongoose HTTP server to crash. As a result, the entire system is rendered unusable.

The mg_parse_multipart [2] function performs proper checks for empty boundaries, but, since the flag "MG_F_CLOSE_IMMEDIATELY" does not have any effect, mg_http_multipart_continue() is called: --------------->8--------------- void mg_http_handler(struct mg_connection nc, int ev, void ev_data) { [CUT BY COMPASS] #if MG_ENABLE_HTTP_STREAMING_MULTIPART if (req_len > 0 && (s = mg_get_http_header(hm, "Content-Type")) != NULL && s->len >= 9 && strncmp(s->p, "multipart", 9) == 0) { mg_http_multipart_begin(nc, hm, req_len); // properly checks for empty boundary // however, the socket is not closed, and mg_http_multipart_continue() is executed mg_http_multipart_continue(nc); return; } ---------------8<--------------- In the mg_http_multipart_begin function, the boundary is correctly verified: --------------->8--------------- boundary_len = mg_http_parse_header(ct, "boundary", boundary, sizeof(boundary));

if (boundary_len == 0) { / * Content type is multipart, but there is no boundary, * probably malformed request / nc->flags = MG_F_CLOSE_IMMEDIATELY; DBG(("invalid request")); goto exit_mp; } ---------------8<--------------- However, the socket is not closed (even though the flag "MG_F_CLOSE_IMMEDIATELY" has been set), and mg_http_multipart_continue is executed. In mg_http_multipart_continue(), the method mg_http_multipart_wait_for_boundary() is executed: ---------------8<--------------- static void mg_http_multipart_continue(struct mg_connection c) { struct mg_http_proto_data pd = mg_http_get_proto_data(c); while (1) { switch (pd->mp_stream.state) { case MPS_BEGIN: { pd->mp_stream.state = MPS_WAITING_FOR_BOUNDARY; break; } case MPS_WAITING_FOR_BOUNDARY: { if (mg_http_multipart_wait_for_boundary(c) == 0) { return; } break; } --------------->8--------------- Then, mg_http_multipart_wait_for_boundary() tries to identify the boundary-string. However, this string has never been initialized, which causes c_strnstr to crash. ---------------8<--------------- static int mg_http_multipart_wait_for_boundary(struct mg_connection c) { const char boundary; struct mbuf io = &c->recv_mbuf; struct mg_http_proto_data pd = mg_http_get_proto_data(c);

if ((int) io->len < pd->mp_stream.boundary_len + 2) { return 0; }

boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len); if (boundary != NULL) { [CUT BY COMPASS] --------------->8---------------

Steps to reproduce

Request to HTTP server (code running on hardware device): ---------------8<--------------- POST / HTTP/1.1 Connection: keep-alive Content-Type: multipart/form-data; Content-Length: 1 1 --------------->8--------------- The above request results in a stack trace on the mongoose console: ---------------8<--------------- Guru Meditation Error of type LoadProhibited occurred on core 0. Exception was unhandled. Register dump: PC : 0x400014fd PS : 0x00060330 A0 : 0x801114b4 A1 : 0x3ffbfcf0 A2 : 0x00000000 A3 : 0xfffffffc A4 : 0x000000ff A5 : 0x0000ff00 A6 : 0x00ff0000 A7 : 0xff000000 A8 : 0x00000000 A9 : 0x00000085 A10 : 0xcccccccc A11 : 0x0ccccccc A12 : 0x00000001 A13 : 0x00000000 A14 : 0x00000037 A15 : 0x3ffbb3cc SAR : 0x0000000f EXCCAUSE: 0x0000001c EXCVADDR: 0x00000000 LBEG : 0x400014fd LEND : 0x4000150d LCOUNT : 0xffffffff

Backtrace: 0x400014fd:0x3ffbfcf0 0x401114b4:0x3ffbfd00 0x401136cc:0x3ffbfd30 0x401149ac:0x3ffbfe30 0x40114b71:0x3ffbff00 0x40112b80:0x3ffc00a0 0x40112dc6:0x3ffc00d0 0x40113295:0x3ffc0100 0x4011361a:0x3ffc0170 0x40111716:0x3ffc01d0 0x40103b8f:0x3ffc01f0 0x40105099:0x3ffc0210 --------------->8---------------

Further debugging shows that an uninitialized string has indeed been passed to c_strnstr: ---------------8<--------------- (gdb) info symbol 0x401114b4 c_strnstr + 12 in section .flash.text (gdb) list 0x401114b4 0x401114b4 is in c_strnstr (/mongoose-os/mongoose/mongoose.c:1720). warning: Source file is more recent than executable. 1715 } 1716 #endif / _WIN32 / 1717
1718 / The simplest O(mn) algorithm. Better implementation are GPLed / 1719 const char c_strnstr(const char s, const char find, size_t slen) WEAK; 1720 const char c_strnstr(const char s, const char find, size_t slen) { 1721 size_t find_length = strlen(find); 1722 size_t i; 1723
1724 for (i = 0; i < slen; i++) { (gdb) list 0x401136cc 0x401136cc is in mg_http_multipart_continue (/mongoose-os/mongoose/mongoose.c:5893). 5888 mg_http_free_proto_data_mp_stream(&pd->mp_stream); 5889 pd->mp_stream.state = MPS_FINISHED; 5890
5891 return 1; 5892 } 5893
5894 static int mg_http_multipart_wait_for_boundary(struct mg_connection c) { 5895 const char boundary; 5896 struct mbuf io = &c->recv_mbuf; 5897 struct mg_http_proto_data pd = mg_http_get_proto_data(c); (gdb) --------------->8---------------

Workaround / Fix:

Apply the following (tested and confirmed) patch: ---------------8<--------------- $ diff --git a/mongoose/mongoose.c b/mongoose/mongoose.c index 91dc8b9..063f8c6 100644 --- a/mongoose/mongoose.c +++ b/mongoose/mongoose.c @@ -5889,6 +5889,12 @@ static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) { return 0; }

if(pd->mp_stream.boundary == NULL){
pd->mp_stream.state = MPS_FINALIZE;
LOG(LL_INFO, ("invalid request: boundary not initialized"));
return 0;
} + boundary = c_strnstr(io->buf, pd->mp_stream.boundary, io->len); if (boundary != NULL) { const char *boundary_end = (boundary + pd->mp_stream.boundary_len); --------------->8--------------- The patch has been merged into Mongoose OS on github.com on 2017-04-03 [4]

Timeline:

2017-04-03: Coordinated public disclosure date 2017-04-03: Release of patch 2017-03-20: Initial vendor response, code usage sign-off 2017-03-19: Initial vendor notification 2017-03-19: Assigned CVE-2017-7185 2017-03-11: Confirmation and patching Philipp Promeuschel, Carel van Rooyen 2017-03-08: Initial inspection Philipp Promeuschel, Carel van Rooyen 2017-03-08: Discovery by Philipp Promeuschel

References:

[1] https://www.cesanta.com/ [2] https://github.com/cesanta/mongoose/blob/66a96410d4336c312de32b1cf5db954aab9ee2ec/mongoose.c#L7760 [3] http://www.ietf.org/rfc/rfc2046.txt [4] https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201704-1519",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "mongoose os",
        "scope": "lte",
        "trust": 1.8,
        "vendor": "cesanta",
        "version": "1.2"
      },
      {
        "model": "mongoose embedded web server library",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "cesanta",
        "version": "6.7"
      },
      {
        "model": "mongoose embedded web server and networking library",
        "scope": "lte",
        "trust": 0.8,
        "vendor": "cesanta",
        "version": "6.7"
      },
      {
        "model": "mongoose embedded web server library",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "cesanta",
        "version": "\u003c=6.7"
      },
      {
        "model": "mongoose os",
        "scope": "lte",
        "trust": 0.6,
        "vendor": "cesanta",
        "version": "\u003c=1.2"
      },
      {
        "model": "mongoose os",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cesanta",
        "version": "1.2"
      },
      {
        "model": "mongoose embedded web server library",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "cesanta",
        "version": "6.7"
      },
      {
        "model": "mongoose",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "cesanta",
        "version": "1.2"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "BID",
        "id": "97370"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:cesanta:mongoose_os:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "1.2",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:cesanta:mongoose_embedded_web_server_library:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "6.7",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "COMPASS SECURITY.",
    "sources": [
      {
        "db": "BID",
        "id": "97370"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2017-7185",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "acInsufInfo": true,
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "NVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "obtainAllPrivilege": false,
            "obtainOtherPrivilege": false,
            "obtainUserPrivilege": false,
            "severity": "MEDIUM",
            "trust": 1.0,
            "userInteractionRequired": false,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Network",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Partial",
            "baseScore": 5.0,
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-7185",
            "impactScore": null,
            "integrityImpact": "None",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "Medium",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "CNVD",
            "availabilityImpact": "PARTIAL",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CNVD-2017-05422",
            "impactScore": 2.9,
            "integrityImpact": "NONE",
            "severity": "MEDIUM",
            "trust": 0.6,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "NVD",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 3.9,
            "impactScore": 3.6,
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "trust": 1.0,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          {
            "attackComplexity": "Low",
            "attackVector": "Network",
            "author": "NVD",
            "availabilityImpact": "High",
            "baseScore": 7.5,
            "baseSeverity": "High",
            "confidentialityImpact": "None",
            "exploitabilityScore": null,
            "id": "CVE-2017-7185",
            "impactScore": null,
            "integrityImpact": "None",
            "privilegesRequired": "None",
            "scope": "Unchanged",
            "trust": 0.8,
            "userInteraction": "None",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "NVD",
            "id": "CVE-2017-7185",
            "trust": 1.8,
            "value": "HIGH"
          },
          {
            "author": "CNVD",
            "id": "CNVD-2017-05422",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201703-811",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string. Cesanta Mongoose Embedded Web Server Library and Mongoose OS are both products of Cesanta, USA. The former is a network library for embedded Web servers; the latter is an open source operating system for the Internet of Things. Mongoose OS is prone to a denial-of-service vulnerability. \nAn attacker can exploit this issue to crash the server, resulting in a denial-of-service condition. #############################################################\n#\n# COMPASS SECURITY ADVISORY\n# https://www.compass-security.com/en/research/advisories/\n#\n#############################################################\n#\n# Product: Mongoose OS\n# Vendor: Cesanta\n# CVE ID: CVE-2017-7185\n# CSNC ID: CSNC-2017-003\n# Subject: Use-after-free / Denial of Service\n# Risk: Medium\n# Effect: Remotely exploitable\n# Authors:\n# Philipp Promeuschel \u003cphilipp.promeuschel@compass-security.com\u003e\n# Carel van Rooyen \u003ccarel.vanrooyen@compass-security.com\u003e\n# Stephan Sekula \u003cstephan.sekula@compass-security.com\u003e\n# Date: 2017-04-03\n#\n#############################################################\n \nIntroduction:\n-------------\nCesanta\u0027s Mongoose OS [1] - an open source operating system for the Internet of Things. Supported micro controllers:\n* ESP32\n* ESP8266\n* STM32\n* TI CC3200\n \nAdditionally, Amazon AWS IoT is integrated for Cloud connectivity. Developers can write applications in C or JavaScript (the latter by using the v7 component of Mongoose OS). \n \nAffected versions:\n---------\nVulnerable:\n * \u003c= Release 1.2\nNot vulnerable:\n * Patched in current dev / master branch\nNot tested:\n * N/A\n \nTechnical Description\n---------------------\nThe handling of HTTP-Multipart boundary [3] headers does not properly close connections when malformed requests are sent to the Mongoose server. \nThis leads to a use-after-free/null-pointer-de-reference vulnerability, causing the Mongoose HTTP server to crash. As a result, the entire system is rendered unusable. \n \n \nThe mg_parse_multipart [2] function performs proper checks for empty boundaries, but, since the flag \"MG_F_CLOSE_IMMEDIATELY\" does not have any effect, mg_http_multipart_continue() is called:\n---------------\u003e8---------------\nvoid mg_http_handler(struct mg_connection *nc, int ev, void *ev_data) {\n[CUT BY COMPASS]\n #if MG_ENABLE_HTTP_STREAMING_MULTIPART\n     if (req_len \u003e 0 \u0026\u0026 (s = mg_get_http_header(hm, \"Content-Type\")) != NULL \u0026\u0026\n         s-\u003elen \u003e= 9 \u0026\u0026 strncmp(s-\u003ep, \"multipart\", 9) == 0) {\n      mg_http_multipart_begin(nc, hm, req_len); // properly checks for empty boundary\n      // however, the socket is not closed, and mg_http_multipart_continue() is executed\n      mg_http_multipart_continue(nc);\n      return;\n}\n---------------8\u003c---------------\nIn the mg_http_multipart_begin function, the boundary is correctly verified:\n---------------\u003e8---------------\n  boundary_len =\n      mg_http_parse_header(ct, \"boundary\", boundary, sizeof(boundary));\n \n  if (boundary_len == 0) {\n    /*\n     * Content type is multipart, but there is no boundary,\n     * probably malformed request\n     */\n    nc-\u003eflags = MG_F_CLOSE_IMMEDIATELY;\n    DBG((\"invalid request\"));\n    goto exit_mp;\n  }\n---------------8\u003c---------------\nHowever, the socket is not closed (even though the flag \"MG_F_CLOSE_IMMEDIATELY\" has been set), and mg_http_multipart_continue is executed. \nIn mg_http_multipart_continue(), the method mg_http_multipart_wait_for_boundary() is executed:\n---------------8\u003c---------------\nstatic void mg_http_multipart_continue(struct mg_connection *c) {\n  struct mg_http_proto_data *pd = mg_http_get_proto_data(c);\n  while (1) {\n    switch (pd-\u003emp_stream.state) {\n      case MPS_BEGIN: {\n        pd-\u003emp_stream.state = MPS_WAITING_FOR_BOUNDARY;\n        break;\n      }\n      case MPS_WAITING_FOR_BOUNDARY: {\n        if (mg_http_multipart_wait_for_boundary(c) == 0) {\n          return;\n        }\n        break;\n      }\n---------------\u003e8---------------\nThen, mg_http_multipart_wait_for_boundary() tries to identify the boundary-string. However, this string has never been initialized, which causes c_strnstr to crash. \n---------------8\u003c---------------\nstatic int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {\n  const char *boundary;\n  struct mbuf *io = \u0026c-\u003erecv_mbuf;\n  struct mg_http_proto_data *pd = mg_http_get_proto_data(c);\n \n  if ((int) io-\u003elen \u003c pd-\u003emp_stream.boundary_len + 2) {\n    return 0;\n  }\n \n  boundary = c_strnstr(io-\u003ebuf, pd-\u003emp_stream.boundary, io-\u003elen);\n  if (boundary != NULL) {\n[CUT BY COMPASS]\n---------------\u003e8---------------\n \n \nSteps to reproduce\n-----------------\nRequest to HTTP server (code running on hardware device):\n---------------8\u003c---------------\nPOST / HTTP/1.1\nConnection: keep-alive\nContent-Type: multipart/form-data;\nContent-Length: 1\n1\n---------------\u003e8---------------\nThe above request results in a stack trace on the mongoose console:\n---------------8\u003c---------------\nGuru Meditation Error of type LoadProhibited occurred on core  0. Exception was unhandled. \nRegister dump:\nPC      : 0x400014fd  PS      : 0x00060330  A0      : 0x801114b4  A1      : 0x3ffbfcf0 \nA2      : 0x00000000  A3      : 0xfffffffc  A4      : 0x000000ff  A5      : 0x0000ff00 \nA6      : 0x00ff0000  A7      : 0xff000000  A8      : 0x00000000  A9      : 0x00000085 \nA10     : 0xcccccccc  A11     : 0x0ccccccc  A12     : 0x00000001  A13     : 0x00000000 \nA14     : 0x00000037  A15     : 0x3ffbb3cc  SAR     : 0x0000000f  EXCCAUSE: 0x0000001c \nEXCVADDR: 0x00000000  LBEG    : 0x400014fd  LEND    : 0x4000150d  LCOUNT  : 0xffffffff \n \nBacktrace: 0x400014fd:0x3ffbfcf0 0x401114b4:0x3ffbfd00 0x401136cc:0x3ffbfd30 0x401149ac:0x3ffbfe30 0x40114b71:0x3ffbff00 0x40112b80:0x3ffc00a0 0x40112dc6:0x3ffc00d0 0x40113295:0x3ffc0100 0x4011361a:0x3ffc0170 0x40111716:0x3ffc01d0 0x40103b8f:0x3ffc01f0 0x40105099:0x3ffc0210\n---------------\u003e8---------------\n \n \nFurther debugging shows that an uninitialized string has indeed been passed to c_strnstr:\n---------------8\u003c---------------\n(gdb) info symbol 0x401114b4\nc_strnstr + 12 in section .flash.text\n(gdb) list *0x401114b4\n0x401114b4 is in c_strnstr (/mongoose-os/mongoose/mongoose.c:1720). \nwarning: Source file is more recent than executable. \n1715    }\n1716    #endif /* _WIN32 */\n1717   \n1718    /* The simplest O(mn) algorithm. Better implementation are GPLed */\n1719    const char *c_strnstr(const char *s, const char *find, size_t slen) WEAK;\n1720    const char *c_strnstr(const char *s, const char *find, size_t slen) {\n1721      size_t find_length = strlen(find);\n1722      size_t i;\n1723   \n1724      for (i = 0; i \u003c slen; i++) {\n(gdb) list *0x401136cc\n0x401136cc is in mg_http_multipart_continue (/mongoose-os/mongoose/mongoose.c:5893). \n5888      mg_http_free_proto_data_mp_stream(\u0026pd-\u003emp_stream);\n5889      pd-\u003emp_stream.state = MPS_FINISHED;\n5890   \n5891      return 1;\n5892    }\n5893   \n5894    static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {\n5895      const char *boundary;\n5896      struct mbuf *io = \u0026c-\u003erecv_mbuf;\n5897      struct mg_http_proto_data *pd = mg_http_get_proto_data(c);\n(gdb)\n---------------\u003e8---------------\n \nWorkaround / Fix:\n-----------------\nApply the following (tested and confirmed) patch:\n---------------8\u003c---------------\n$ diff --git a/mongoose/mongoose.c b/mongoose/mongoose.c\nindex 91dc8b9..063f8c6 100644\n--- a/mongoose/mongoose.c\n+++ b/mongoose/mongoose.c\n@@ -5889,6 +5889,12 @@ static int mg_http_multipart_wait_for_boundary(struct mg_connection *c) {\n     return 0;\n   }\n  \n+  if(pd-\u003emp_stream.boundary == NULL){\n+      pd-\u003emp_stream.state = MPS_FINALIZE;\n+      LOG(LL_INFO, (\"invalid request: boundary not initialized\"));\n+      return 0;\n+  }\n+\n   boundary = c_strnstr(io-\u003ebuf, pd-\u003emp_stream.boundary, io-\u003elen);\n   if (boundary != NULL) {\n     const char *boundary_end = (boundary + pd-\u003emp_stream.boundary_len);\n---------------\u003e8---------------\nThe patch has been merged into Mongoose OS on github.com on 2017-04-03 [4]\n \nTimeline:\n---------\n2017-04-03: Coordinated public disclosure date\n2017-04-03: Release of patch\n2017-03-20: Initial vendor response, code usage sign-off\n2017-03-19: Initial vendor notification\n2017-03-19: Assigned CVE-2017-7185\n2017-03-11: Confirmation and patching Philipp Promeuschel, Carel van Rooyen\n2017-03-08: Initial inspection Philipp Promeuschel, Carel van Rooyen\n2017-03-08: Discovery by Philipp Promeuschel\n \nReferences:\n-----------\n[1] https://www.cesanta.com/\n[2] https://github.com/cesanta/mongoose/blob/66a96410d4336c312de32b1cf5db954aab9ee2ec/mongoose.c#L7760\n[3] http://www.ietf.org/rfc/rfc2046.txt\n[4] https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      },
      {
        "db": "BID",
        "id": "97370"
      },
      {
        "db": "PACKETSTORM",
        "id": "142021"
      }
    ],
    "trust": 3.06
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2017-7185",
        "trust": 3.4
      },
      {
        "db": "BID",
        "id": "97370",
        "trust": 1.9
      },
      {
        "db": "EXPLOIT-DB",
        "id": "41826",
        "trust": 1.0
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079",
        "trust": 0.8
      },
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "142021",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "BID",
        "id": "97370"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "PACKETSTORM",
        "id": "142021"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "id": "VAR-201704-1519",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      }
    ],
    "trust": 1.075
  },
  "iot_taxonomy": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot_taxonomy#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "category": [
          "IoT"
        ],
        "sub_category": null,
        "trust": 0.6
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      }
    ]
  },
  "last_update_date": "2023-12-18T13:14:19.182000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Fix crash in multipart handling (mongoose)",
        "trust": 0.8,
        "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
      },
      {
        "title": "Fix crash in multipart handling (mongoose-os)",
        "trust": 0.8,
        "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
      },
      {
        "title": "Patch for Cesanta Mongoose Embedded Web Server Library and Mongoose OS memory error reference vulnerability",
        "trust": 0.6,
        "url": "https://www.cnvd.org.cn/patchinfo/show/92752"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-416",
        "trust": 1.8
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.0,
        "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
      },
      {
        "trust": 1.6,
        "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
      },
      {
        "trust": 1.6,
        "url": "https://www.compass-security.com/fileadmin/datein/research/advisories/cve-2017-7185_mongoose_os_use_after_free.txt"
      },
      {
        "trust": 1.2,
        "url": "http://www.securityfocus.com/archive/1/archive/1/540355/100/0/threaded"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/bid/97370"
      },
      {
        "trust": 1.0,
        "url": "https://www.exploit-db.com/exploits/41826/"
      },
      {
        "trust": 0.9,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-7185"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2017-7185"
      },
      {
        "trust": 0.4,
        "url": "https://www.cesanta.com/"
      },
      {
        "trust": 0.4,
        "url": "https://github.com/cesanta/mongoose/blob/66a96410d4336c312de32b1cf5db954aab9ee2ec/mongoose.c#l7760"
      },
      {
        "trust": 0.3,
        "url": "http://seclists.org/bugtraq/2017/apr/9"
      },
      {
        "trust": 0.1,
        "url": "https://www.compass-security.com/en/research/advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://www.ietf.org/rfc/rfc2046.txt"
      }
    ],
    "sources": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "BID",
        "id": "97370"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "PACKETSTORM",
        "id": "142021"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "db": "BID",
        "id": "97370"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "db": "PACKETSTORM",
        "id": "142021"
      },
      {
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-04-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "date": "2017-04-04T00:00:00",
        "db": "BID",
        "id": "97370"
      },
      {
        "date": "2017-05-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "date": "2017-04-03T18:32:22",
        "db": "PACKETSTORM",
        "id": "142021"
      },
      {
        "date": "2017-04-10T15:59:00.503000",
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "date": "2017-03-20T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2017-04-26T00:00:00",
        "db": "CNVD",
        "id": "CNVD-2017-05422"
      },
      {
        "date": "2017-04-11T01:02:00",
        "db": "BID",
        "id": "97370"
      },
      {
        "date": "2017-05-12T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      },
      {
        "date": "2018-10-09T20:01:43.417000",
        "db": "NVD",
        "id": "CVE-2017-7185"
      },
      {
        "date": "2017-04-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Cesanta Mongoose Embedded Web Server Library and  Mongoose OS of  mongoose.c Service disruption in  (DoS) Vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2017-003079"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201703-811"
      }
    ],
    "trust": 0.6
  }
}

GHSA-R945-W37W-79VF

Vulnerability from github – Published: 2022-05-14 02:45 – Updated: 2025-04-20 03:35

Details

Severity ?

7.5 (High)


                  
                    CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2017-7185"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-416"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-04-10T15:59:00Z",
    "severity": "HIGH"
  },
  "details": "Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.",
  "id": "GHSA-r945-w37w-79vf",
  "modified": "2025-04-20T03:35:44Z",
  "published": "2022-05-14T02:45:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7185"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6de5cf5b"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cf9cc"
    },
    {
      "type": "WEB",
      "url": "https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7185_mongoose_os_use_after_free.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/41826"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/540355/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97370"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-7185 (GCVE-0-2017-7185)

FKIE_CVE-2017-7185

CNVD-2017-05422

GSD-2017-7185

VAR-201704-1519

COMPASS SECURITY ADVISORY

https://www.compass-security.com/en/research/advisories/

Product: Mongoose OS

Vendor: Cesanta

CVE ID: CVE-2017-7185

CSNC ID: CSNC-2017-003

Subject: Use-after-free / Denial of Service

Risk: Medium

Effect: Remotely exploitable

Authors:

Philipp Promeuschel philipp.promeuschel@compass-security.com

Carel van Rooyen carel.vanrooyen@compass-security.com

Stephan Sekula stephan.sekula@compass-security.com

Date: 2017-04-03

Introduction:

Affected versions:

Technical Description

Steps to reproduce

Workaround / Fix:

Timeline:

References:

GHSA-R945-W37W-79VF

Tags

Sightings

Nomenclature