Vulnerability identifier: #VU83385
Vulnerability risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-400
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Eclipse Mosquitto
Server applications /
Other server solutions
Vendor: Eclipse
Description
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can trigger resource exhaustion by establishing a connection to the mosquitto server without sending data, cause the EPOLLOUT event to be added, which results excessive CPU consumption.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Eclipse Mosquitto: 2.0.0 - 2.0.5
External links
http://github.com/eclipse/mosquitto/pull/2053
http://github.com/eclipse/mosquitto/commit/18bad1ff32435e523d7507e9b2ce0010124a8f2d
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.