Memory leaking in Eclipse Mosquitto
The Eclipse Foundation is a Common Vulnerabilities and Exposures (CVE) Numbering Authority. This issue it used to request and track the progress of the assignment of a CVE for a vulnerability in the project code for an Eclipse open source project.
Basic information
Project name: Eclipse Mosquitto
Project id: iot.mosquitto
Request type: publication
Versions affected: [TBD, 2.0.18a]
Common Weakness Enumeration:
- {CWE-401: Missing Release of Memory after Effective Lifetime}
- {CWE-416: Use After Free}
- {CWE-248: Uncaught Exception}
Common Vulnerability Scoring System: {CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:P}
Summary:
In Eclipse Mosquitto up to version 2.0.18a, an attacker can achieve memory leaking, segmentation fault or heap-use-after-free by sending specific sequences of "CONNECT", "DISCONNECT", "SUBSCRIBE", "UNSUBSCRIBE" and "PUBLISH" packets.
Credits:
- Roman Kraus (Fraunhofer FOKUS)
- Steffen Lüdtke (Fraunhofer FOKUS)
- Martin Schneider (Fraunhofer FOKUS)
- Ramon Barakat (Fraunhofer FOKUS)
Links:
- {primary resolution link}