CVE-2019-13120

2019-10-0722:15:10

Google

osv.dev

6.9 Medium

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

53.8%

JSON

Amazon FreeRTOS up to and including v1.4.8 lacks length checking in prvProcessReceivedPublish, resulting in untargetable leakage of arbitrary memory contents on a device to an attacker. If an attacker has the authorization to send a malformed MQTT publish packet to an Amazon IoT Thing, which interacts with an associated vulnerable MQTT message in the application, specific circumstances could trigger this vulnerability.

CPENameOperatorVersion
amazon-freertoseq1.4.0
amazon-freertoseq1.4.5
amazon-freertoseq1.2.2
amazon-freertoseq1.4.7
amazon-freertoseq1.4.3
amazon-freertoseq1.3.1
amazon-freertoseq1.2.5
amazon-freertoseq1.2.7
amazon-freertoseq1.4.1
amazon-freertoseq1.4.4

Name	Operator	Version
amazon-freertos	eq	1.4.0
amazon-freertos	eq	1.4.5
amazon-freertos	eq	1.2.2
amazon-freertos	eq	1.4.7
amazon-freertos	eq	1.4.3
amazon-freertos	eq	1.3.1
amazon-freertos	eq	1.2.5
amazon-freertos	eq	1.2.7
amazon-freertos	eq	1.4.1
amazon-freertos	eq	1.4.4

Rows per page:

1-10 of 221

References

aws.amazon.com/cn/freertos/security-updates/