CVE-2024-42383 (GCVE-0-2024-42383)

Vulnerability from cvelistv5 – Published: 2024-11-18 09:04 – Updated: 2024-11-18 13:36
VLAI?
Summary
Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.
Severity ?
4.2 (Medium)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE
  • CWE-823 - Use of Out-of-range Pointer Offset
Assigner
References
Impacted products
Vendor Product Version
Cesanta Mongoose Web Server Affected: 0 , ≤ 7.14 (semver)
Create a notification for this product.
Credits
Gabriele Quagliarella
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42383",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-11-18T13:36:10.699419Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-11-18T13:36:30.205Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://github.com/cesanta/mongoose",
          "defaultStatus": "unaffected",
          "product": "Mongoose Web Server",
          "vendor": "Cesanta",
          "versions": [
            {
              "lessThanOrEqual": "7.14",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gabriele Quagliarella"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field."
            }
          ],
          "value": "Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 4.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-823",
              "description": "CWE-823 Use of Out-of-range Pointer Offset",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-11-18T09:04:24.283Z",
        "orgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
        "shortName": "Nozomi"
      },
      "references": [
        {
          "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "It is suggested to update the Mongoose Web Server library to v7.15."
            }
          ],
          "value": "It is suggested to update the Mongoose Web Server library to v7.15."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Use of Out-of-range Pointer Offset in Mongoose Web Server library",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eIt is highly recommended to not expose the vulnerable component inside an untrusted network.\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "It is highly recommended to not expose the vulnerable component inside an untrusted network."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bec8025f-a851-46e5-b3a3-058e6b0aa23c",
    "assignerShortName": "Nozomi",
    "cveId": "CVE-2024-42383",
    "datePublished": "2024-11-18T09:04:24.283Z",
    "dateReserved": "2024-07-31T12:51:37.203Z",
    "dateUpdated": "2024-11-18T13:36:30.205Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"7.14\", \"matchCriteriaId\": \"F73D607F-2879-4E92-BD95-E3ADBA7EFB25\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.\"}, {\"lang\": \"es\", \"value\": \"El uso de la vulnerabilidad de desplazamiento de puntero fuera de rango en Cesanta Mongoose Web Server v7.14 permite escribir un valor de byte NULL m\\u00e1s all\\u00e1 del espacio de memoria dedicado para el campo de nombre de host.\"}]",
      "id": "CVE-2024-42383",
      "lastModified": "2024-11-19T17:55:22.020",
      "metrics": "{\"cvssMetricV31\": [{\"source\": \"prodsec@nozominetworks.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"baseScore\": 4.2, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"LOW\"}, \"exploitabilityScore\": 1.6, \"impactScore\": 2.5}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 9.8, \"baseSeverity\": \"CRITICAL\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 5.9}]}",
      "published": "2024-11-18T10:15:06.667",
      "references": "[{\"url\": \"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383\", \"source\": \"prodsec@nozominetworks.com\", \"tags\": [\"Third Party Advisory\"]}]",
      "sourceIdentifier": "prodsec@nozominetworks.com",
      "vulnStatus": "Analyzed",
      "weaknesses": "[{\"source\": \"prodsec@nozominetworks.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-823\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-42383\",\"sourceIdentifier\":\"prodsec@nozominetworks.com\",\"published\":\"2024-11-18T10:15:06.667\",\"lastModified\":\"2024-11-19T17:55:22.020\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.\"},{\"lang\":\"es\",\"value\":\"El uso de la vulnerabilidad de desplazamiento de puntero fuera de rango en Cesanta Mongoose Web Server v7.14 permite escribir un valor de byte NULL m\u00e1s all\u00e1 del espacio de memoria dedicado para el campo de nombre de host.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"prodsec@nozominetworks.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L\",\"baseScore\":4.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"LOW\"},\"exploitabilityScore\":1.6,\"impactScore\":2.5},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"prodsec@nozominetworks.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-823\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:cesanta:mongoose:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"7.14\",\"matchCriteriaId\":\"F73D607F-2879-4E92-BD95-E3ADBA7EFB25\"}]}]}],\"references\":[{\"url\":\"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383\",\"source\":\"prodsec@nozominetworks.com\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-42383\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2024-11-18T13:36:10.699419Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-11-18T13:36:14.838Z\"}}], \"cna\": {\"title\": \"Use of Out-of-range Pointer Offset in Mongoose Web Server library\", \"source\": {\"discovery\": \"UNKNOWN\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gabriele Quagliarella\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 4.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"LOW\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"Cesanta\", \"product\": \"Mongoose Web Server\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"7.14\"}], \"collectionURL\": \"https://github.com/cesanta/mongoose\", \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"It is suggested to update the Mongoose Web Server library to v7.15.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"It is suggested to update the Mongoose Web Server library to v7.15.\", \"base64\": false}]}], \"references\": [{\"url\": \"https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2024-42383\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"It is highly recommended to not expose the vulnerable component inside an untrusted network.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cspan style=\\\"background-color: rgb(255, 255, 255);\\\"\u003eIt is highly recommended to not expose the vulnerable component inside an untrusted network.\u003c/span\u003e\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Use of Out-of-range Pointer Offset vulnerability in Cesanta Mongoose Web Server v7.14 allows to write a NULL byte value beyond the memory space dedicated for the hostname field.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-823\", \"description\": \"CWE-823 Use of Out-of-range Pointer Offset\"}]}], \"providerMetadata\": {\"orgId\": \"bec8025f-a851-46e5-b3a3-058e6b0aa23c\", \"shortName\": \"Nozomi\", \"dateUpdated\": \"2024-11-18T09:04:24.283Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-42383\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2024-11-18T13:36:30.205Z\", \"dateReserved\": \"2024-07-31T12:51:37.203Z\", \"assignerOrgId\": \"bec8025f-a851-46e5-b3a3-058e6b0aa23c\", \"datePublished\": \"2024-11-18T09:04:24.283Z\", \"assignerShortName\": \"Nozomi\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.