Lucene search

K
ubuntucveUbuntu.comUB:CVE-2023-28366
HistorySep 01, 2023 - 12:00 a.m.

CVE-2023-28366

2023-09-0100:00:00
ubuntu.com
ubuntu.com
7
eclipse mosquitto
memory leak
remote abuse
qos 2 messages
duplicate message ids
pubrec commands
refactoring
core functions
patches
version 2.0.16

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

41.2%

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a
memory leak that can be abused remotely when a client sends many QoS 2
messages with duplicate message IDs, and fails to respond to PUBREC
commands. This occurs because of mishandling of EAGAIN from the libc send
function.

Notes

Author Note
gianz Memory leak requiring refactoring of core functions to be fixed. Applying the patches to versions < 2.0.0 is likely to cause regressions.
OSVersionArchitecturePackageVersionFilename
ubuntu20.04noarchmosquitto< 1.6.9-1ubuntu0.1~esm1UNKNOWN
ubuntu22.04noarchmosquitto< 2.0.11-1ubuntu1.1UNKNOWN
ubuntu23.04noarchmosquitto< 2.0.11-1.2ubuntu0.1UNKNOWN

CVSS3

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

41.2%