Lucene search

K

[email protected]NVD:CVE-2023-28366

HistorySep 01, 2023 - 4:15 p.m.

CVE-2023-28366

2023-09-0116:15:07

CWE-401

[email protected]

web.nvd.nist.gov

1

cve-2023-28366

remote abuse

qos 2 messages

memory leak

pubrec commands

eagain mishandling

security vulnerability

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.3%

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Affected configurations

NVD

Node

eclipsemosquittoRange1.3.2–2.0.16

References

github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9

github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/

mosquitto.org/blog/2023/08/version-2-0-16-released/

security.gentoo.org/glsa/202401-09

www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt

www.debian.org/security/2023/dsa-5511

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.4 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.3%

Related for NVD:CVE-2023-28366

prion1 osv3 cve1 debiancve1 redhatcve1 ubuntucve1 cvelist1 veracode1 alpinelinux1 nessus8 fedora4 openvas6 ibm1 gentoo1 redhat2 debian1 ubuntu1