CVE-2023-5632

2023-10-1809:15:10

CWE-834

[email protected]

web.nvd.nist.gov

cve-2023-5632

eclipse mosquito

denial of service

epollout event

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

13.4%

JSON

In Eclipse Mosquito before and including 2.0.5, establishing a connection to the mosquitto server without sending data causes the EPOLLOUT event to be added, which results excessive CPU consumption. This could be used by a malicious actor to perform denial of service type attack. This issue is fixed in 2.0.6

Affected configurations

NVD

Node

eclipsemosquittoRange<2.0.6

CPENameOperatorVersion
eclipse:mosquittoeclipse mosquittolt2.0.6

CPE	Name	Operator	Version
eclipse:mosquitto	eclipse mosquitto	lt	2.0.6

CNA Affected

[
  {
    "defaultStatus": "unaffected",
    "product": "Mosquitto",
    "programFiles": [
      "https://github.com/eclipse/mosquitto/blob/master/lib/packet_mosq.c"
    ],
    "repo": "https://github.com/eclipse/mosquitto",
    "vendor": "Eclipse",
    "versions": [
      {
        "lessThanOrEqual": "2.0.5",
        "status": "affected",
        "version": "0",
        "versionType": "custom"
      }
    ]
  }
]