emqx NanoMQ 0.15.0-0 mqtt_parser.c copyn_utf8_str heap-based overflow

Summaryinfo

A vulnerability classified as critical has been found in emqx NanoMQ 0.15.0-0. This impacts the function copyn_utf8_str of the file mqtt_parser.c. The manipulation leads to heap-based overflow. This vulnerability is uniquely identified as CVE-2023-29995. No exploit exists.

Detailsinfo

A vulnerability, which was classified as critical, has been found in emqx NanoMQ 0.15.0-0. This issue affects the function copyn_utf8_str of the file mqtt_parser.c. The manipulation with an unknown input leads to a heap-based overflow vulnerability. Using CWE to declare the problem leads to CWE-122. A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc(). Impacted is confidentiality, integrity, and availability. The summary by CVE is:

In NanoMQ v0.15.0-0, a Heap overflow occurs in copyn_utf8_str function of mqtt_parser.c

The weakness was disclosed 05/04/2023 as 1043. The advisory is shared at github.com. The identification of this vulnerability is CVE-2023-29995 since 04/07/2023. Technical details are known, but no exploit is available.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at EUVD (EUVD-2023-33525). Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Vendor

• emqx

Name

• NanoMQ

Version

• 0.15.0-0

Website

• Product: https://github.com/emqx/nanomq/

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion