CVE-2017-7185 — HIGH (7.5) — White Hats Nepal

Q: How severe is CVE-2017-7185?

CVE-2017-7185 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2017-7185?

Check the references section above for vendor advisories and patch information. Affected products include: Cesanta Mongoose Embedded Web Server Library, Cesanta Mongoose Os.

Vulnerability Description

Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows remote attackers to cause a denial of service (crash) via a multipart/form-data POST request without a MIME boundary string.

CVSS Score

7.5

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

NONE

Availability

HIGH

Affected Products

Vendor	Product	Versions
Cesanta	Mongoose Embedded Web Server Library	<= 6.7
Cesanta	Mongoose Os	<= 1.2

Related Weaknesses (CWE)

CWE-416

References

http://www.securityfocus.com/archive/1/540355/100/0/threaded
http://www.securityfocus.com/bid/97370Third Party AdvisoryVDB Entry
https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6dPatchThird Party Advisory
https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cfPatchThird Party Advisory
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7ExploitTechnical DescriptionThird Party Advisory
https://www.exploit-db.com/exploits/41826/
http://www.securityfocus.com/archive/1/540355/100/0/threaded
http://www.securityfocus.com/bid/97370Third Party AdvisoryVDB Entry
https://github.com/cesanta/mongoose-os/commit/042eb437973a202d00589b13d628181c6dPatchThird Party Advisory
https://github.com/cesanta/mongoose/commit/b8402ed0733e3f244588b61ad5fedd093e3cfPatchThird Party Advisory
https://www.compass-security.com/fileadmin/Datein/Research/Advisories/CVE-2017-7ExploitTechnical DescriptionThird Party Advisory
https://www.exploit-db.com/exploits/41826/

FAQ

What is CVE-2017-7185?

CVE-2017-7185 is a vulnerability with a CVSS score of 7.5 (HIGH). Use-after-free vulnerability in the mg_http_multipart_wait_for_boundary function in mongoose.c in Cesanta Mongoose Embedded Web Server Library 6.7 and earlier and Mongoose OS 1.2 and earlier allows re...

How severe is CVE-2017-7185?

CVE-2017-7185 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2017-7185?

Check the references section above for vendor advisories and patch information. Affected products include: Cesanta Mongoose Embedded Web Server Library, Cesanta Mongoose Os.