Amazon FreeRTOS up to and including v1.4.8 for AWS lacks length checking in prvProcessReceivedPublish, resulting in leakage of arbitrary memory contents on a device to an attacker. An attacker sends a malformed MQTT publish packet, and waits for an MQTTACK packet containing the leaked data.

Published : 2019-10-07 22:15 Updated : 2019-10-15 14:38

CVSS Score More info
Score 5.0 / 10
Vendor Product Version URI
Amazon Freertos 1.4.8 cpe:/o:amazon:freertos:1.4.8
  1. Amazon (1) Search CVE
    1. Freertos (1) Search CVE
      1. 1.4.8


ID Name Description Links
CWE-20 Improper Input Validation The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program. CVE

History of changes

Date Event
2019-10-15 14:38
2019-10-08 12:05