cve-2017-7652
Vulnerability from cvelistv5
Published
2018-04-25 13:00
Modified
2024-08-05 16:12
Severity
Summary
In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.
References
| Source | URL | Tags |
|---|---|---|
| emo@eclipse.org | https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102 | Issue Tracking, Third Party Advisory |
| emo@eclipse.org | https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html | Mailing List, Third Party Advisory |
| emo@eclipse.org | https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html | Mailing List, Third Party Advisory |
| emo@eclipse.org | https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/ | Patch, Vendor Advisory |
| emo@eclipse.org | https://www.debian.org/security/2018/dsa-4325 | Third Party Advisory |
Impacted products
| Vendor | Product |
|---|---|
| The Eclipse Foundation | Eclipse Mosquitto |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T16:12:27.742Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1334-1] mosquitto security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/"
},
{
"name": "[debian-lts-announce] 20180629 [SECURITY] [DLA 1409-1] mosquitto security update",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102"
},
{
"name": "DSA-4325",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4325"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Eclipse Mosquitto",
"vendor": "The Eclipse Foundation",
"versions": [
{
"status": "affected",
"version": "1.4.14"
}
]
}
],
"datePublic": "2018-01-21T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-789",
"description": "CWE-789: Uncontrolled Memory Allocation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-26T09:57:01",
"orgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"shortName": "eclipse"
},
"references": [
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1334-1] mosquitto security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/"
},
{
"name": "[debian-lts-announce] 20180629 [SECURITY] [DLA 1409-1] mosquitto security update",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102"
},
{
"name": "DSA-4325",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4325"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "security@eclipse.org",
"ID": "CVE-2017-7652",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Eclipse Mosquitto",
"version": {
"version_data": [
{
"version_value": "1.4.14"
}
]
}
}
]
},
"vendor_name": "The Eclipse Foundation"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-789: Uncontrolled Memory Allocation"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[debian-lts-announce] 20180331 [SECURITY] [DLA 1334-1] mosquitto security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html"
},
{
"name": "https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/",
"refsource": "CONFIRM",
"url": "https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/"
},
{
"name": "[debian-lts-announce] 20180629 [SECURITY] [DLA 1409-1] mosquitto security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html"
},
{
"name": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102",
"refsource": "CONFIRM",
"url": "https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102"
},
{
"name": "DSA-4325",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4325"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e51fbebd-6053-4e49-959f-1b94eeb69a2c",
"assignerShortName": "eclipse",
"cveId": "CVE-2017-7652",
"datePublished": "2018-04-25T13:00:00",
"dateReserved": "2017-04-11T00:00:00",
"dateUpdated": "2024-08-05T16:12:27.742Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2017-7652\",\"sourceIdentifier\":\"emo@eclipse.org\",\"published\":\"2018-04-25T13:29:00.490\",\"lastModified\":\"2019-10-09T23:29:49.047\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Eclipse Mosquitto 1.4.14, if a Mosquitto instance is set running with a configuration file, then sending a HUP signal to server triggers the configuration to be reloaded from disk. If there are lots of clients connected so that there are no more file descriptors/sockets available (default limit typically 1024 file descriptors on Linux), then opening the configuration file will fail.\"},{\"lang\":\"es\",\"value\":\"En Eclipse Mosquitto, si se establece una instancia de Mosquitto ejecut\u00e1ndose con un archivo de configuraci\u00f3n, el env\u00edo de una se\u00f1al HUP al servidor provoca que la configuraci\u00f3n se recargue desde el disco. Si hay muchos clientes conectados de tal forma que ya no queden m\u00e1s descriptores de archivos/sockets disponibles (el l\u00edmite normal por defecto suele ser de 1024 descriptores de archivos en Linux), no se podr\u00e1 abrir el archivo de configuraci\u00f3n.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":6.8,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]},{\"source\":\"emo@eclipse.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-789\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:eclipse:mosquitto:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.0\",\"versionEndIncluding\":\"1.4.14\",\"matchCriteriaId\":\"369612A8-37B4-444B-AD17-9DF374006CB7\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"16F59A04-14CF-49E2-9973-645477EA09DA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"https://bugs.eclipse.org/bugs/show_bug.cgi?id=530102\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/03/msg00037.html\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2018/06/msg00016.html\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://mosquitto.org/blog/2018/02/security-advisory-cve-2017-7651-cve-2017-7652/\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4325\",\"source\":\"emo@eclipse.org\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
Loading...