Lucene search

K
cvelistMitreCVELIST:CVE-2023-28366
HistorySep 01, 2023 - 12:00 a.m.

CVE-2023-28366

2023-09-0100:00:00
mitre
www.cve.org
6
cve-2023-28366
remote abuse
qos 2 messages
duplicate message ids
pubrec commands
eagain mishandling
memory leak

AI Score

7.5

Confidence

High

EPSS

0.001

Percentile

41.2%

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.