Vulnerability identifier: #VU79936
Vulnerability risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-401
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Eclipse Mosquitto
Server applications /
Other server solutions
Vendor: Eclipse
Description
The vulnerability allows a remote user to perform DoS attack on the target system.
The vulnerability exists due memory leak in broker. A remote client can send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands, which results in memory leak and denial of service condition.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Eclipse Mosquitto: 2.0.0 - 2.0.15
External links
http://mosquitto.org/blog/2023/08/version-2-0-16-released/
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.