github - ghsa-897v-899r-j3hg

ghsa-897v-899r-j3hg

Vulnerability from github

Published

2023-09-01 18:30

Modified

2024-01-07 12:30

Severity

7.5 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2023-28366"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-401"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-09-01T16:15:07Z",
    "severity": "HIGH"
  },
  "details": "The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.",
  "id": "GHSA-897v-899r-j3hg",
  "modified": "2024-01-07T12:30:29Z",
  "published": "2023-09-01T18:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-28366"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X"
    },
    {
      "type": "WEB",
      "url": "https://mosquitto.org/blog/2023/08/version-2-0-16-released"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202401-09"
    },
    {
      "type": "WEB",
      "url": "https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2023/dsa-5511"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

cve-2023-28366

Vulnerability from cvelistv5

Published

2023-09-01 00:00

Modified

2024-08-02 12:38

Severity

Summary

References

URL	Tags
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/	vendor-advisory
https://www.debian.org/security/2023/dsa-5511	vendor-advisory
https://security.gentoo.org/glsa/202401-09	vendor-advisory

Impacted products

Vendor	Product
n/a	n/a

Show details on NVD website