Memory leak in Eclipse Mosquitto

#VU79936 Memory leak in Eclipse Mosquitto

Published: 2023-08-24

Vulnerability identifier: #VU79936

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-28366

CWE-ID: CWE-401

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Eclipse Mosquitto
Server applications / Other server solutions

Vendor: Eclipse

Description
The vulnerability allows a remote user to perform DoS attack on the target system.

The vulnerability exists due memory leak in broker. A remote client can send multiple QoS 2 messages with the same message ID, but then never respond to the PUBREC commands, which results in memory leak and denial of service condition.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Eclipse Mosquitto: 2.0.0 - 2.0.15

External links
http://mosquitto.org/blog/2023/08/version-2-0-16-released/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in Juniper Networks Junos cRPD

Multiple vulnerabilities in Juniper Cloud Native Router

Multiple vulnerabilities in Red Hat Satellite 6.13 for RHEL 8

Multiple vulnerabilities in Red Hat Satellite 6.14

Gentoo update for Eclipse Mosquitto

Ubuntu update for mosquitto

Multiple vulnerabilities in IBM Integration Bus

Debian update for mosquitto

openEuler 22.03 LTS update for mosquitto

openEuler 22.03 LTS SP2 update for mosquitto