CVE-2018-17614

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2018-17614

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17614.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2018-17614

Published

2018-11-13T21:29:00.293Z

Modified

2025-11-20T10:47:47.489808Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Losant Arduino MQTT Client prior to V2.7. User interaction is not required to exploit this vulnerability. The specific flaw exists within the parsing of MQTT PUBLISH packets. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-6436.

References

Affected packages

Git / github.com/knolleary/pubsubclient

Affected ranges

Type: GIT
Repo: https://github.com/knolleary/pubsubclient
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

26ce89fa476da85399b736f885274d67676dacb8

Affected versions

2.*

2.4

v1.*

v1.1

v1.2

v1.3

v1.4

v1.5

v1.6

v1.7

v1.8

v1.9

v1.9.1

v2.*

v2.0

v2.1

v2.2

v2.3

v2.5

v2.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-17614.json"