CVE-2023-28366

The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 26%
VendorProductVersion
eclipsemosquitto
1.3.2 ≤
𝑥
< 2.0.16
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mosquitto
bullseye (security)
2.0.11-1+deb11u1
fixed
bullseye
2.0.11-1+deb11u1
fixed
buster
ignored
bookworm
2.0.11-1.2+deb12u1
fixed
bookworm (security)
2.0.11-1.2+deb12u1
fixed
trixie
2.0.20-1
fixed
sid
2.0.20-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mosquitto
mantic
not-affected
lunar
Fixed 2.0.11-1.2ubuntu0.1
released
jammy
Fixed 2.0.11-1ubuntu1.1
released
focal
Fixed 1.6.9-1ubuntu0.1~esm1
released
bionic
ignored
xenial
ignored
trusty
not-affected
Common Weakness Enumeration
References
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://security.gentoo.org/glsa/202401-09
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
https://www.debian.org/security/2023/dsa-5511
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://security.gentoo.org/glsa/202401-09
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
https://www.debian.org/security/2023/dsa-5511