CVE-2023-28366

EUVD-2023-32063
The broker in Eclipse Mosquitto 1.3.2 through 2.x before 2.0.16 has a memory leak that can be abused remotely when a client sends many QoS 2 messages with duplicate message IDs, and fails to respond to PUBREC commands. This occurs because of mishandling of EAGAIN from the libc send function.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA-ADPADP
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 23%
Affected Products (NVD)
VendorProductVersion
eclipsemosquitto
1.3.2 ≤
𝑥
< 2.0.16
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
mosquitto
bookworm
2.0.11-1.2+deb12u1
fixed
bookworm (security)
2.0.11-1.2+deb12u1
fixed
bullseye
2.0.11-1+deb11u1
fixed
bullseye (security)
2.0.11-1+deb11u1
fixed
buster
ignored
sid
2.0.20-1
fixed
trixie
2.0.20-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
mosquitto
bionic
ignored
focal
Fixed 1.6.9-1ubuntu0.1~esm1
released
jammy
Fixed 2.0.11-1ubuntu1.1
released
lunar
Fixed 2.0.11-1.2ubuntu0.1
released
mantic
not-affected
trusty
not-affected
xenial
ignored
Common Weakness Enumeration
References
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://security.gentoo.org/glsa/202401-09
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
https://www.debian.org/security/2023/dsa-5511
https://github.com/eclipse/mosquitto/commit/6113eac95a9df634fbc858be542c4a0456bfe7b9
https://github.com/eclipse/mosquitto/compare/v2.0.15...v2.0.16
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KJ2FMBGVVQEQWTTQB7YLKTAHMX2UM66X/
https://mosquitto.org/blog/2023/08/version-2-0-16-released/
https://security.gentoo.org/glsa/202401-09
https://www.compass-security.com/fileadmin/Research/Advisories/2023_02_CSNC-2023-001_Eclipse_Mosquitto_Memory_Leak.txt
https://www.debian.org/security/2023/dsa-5511