Lucene search

PRIOn knowledge basePRION:CVE-2023-28366

HistorySep 01, 2023 - 4:15 p.m.

Memory corruption

2023-09-0116:15:00

PRIOn knowledge base

www.prio-n.com

memory corruption

eclipse mosquitto

remote abuse

qos 2 messages

duplicate message ids

pubrec commands

eagain mishandling

memory leak vulnerability

7.2 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

41.2%

JSON

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

CPENameOperatorVersion
mosquittoge1.3.2
mosquittolt2.0.16

CPE	Name	Operator	Version
	mosquitto	ge	1.3.2
	mosquitto	lt	2.0.16

References

github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9

github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16

lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/

mosquitto.org/blog/2023/08/version-2-0-16-released/

security.gentoo.org/glsa/202401-09

www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt

www.debian.org/security/2023/dsa-5511