Published: 01/09/2023 Updated: 07/01/2024

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 0

The broker in Eclipse Mosquitto 1.3.2 up to and including 2.x prior to 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Vulnerable Product	Search on Vulmon	Subscribe to Product
eclipse mosquitto

Several security vulnerabilities have been discovered in mosquitto, a MQTT compatible message broker, which may be abused for a denial of service attack CVE-2021-34434 In Eclipse Mosquitto when using the dynamic security plugin, if the ability for a client to make subscriptions on a topic is revoked when a durable client is offline, t ...

CWE-401 https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9 https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16 https://mosquitto.org/blog/2023/08/version-2-0-16-released/https://www.debian.org/security/2023/dsa-5511 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/https://security.gentoo.org/glsa/202401-09 https://nvd.nist.gov https://www.debian.org/security/2023/dsa-5511

Get Started

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

CVE-2023-28366

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect